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Foreword 







The first two AMAST conferences, respectively held in May 1989 and May 1991 at the Uni¬ 
versity of Iowa, were well received and encouraged the regular organization of further AMAST 
conferences on a biennial schedule. 

The goal of these conferences is to foster algebraic methodology as a foundation for software 
technology, iind to show that this can lead to practical mathematical alternatives to the ad-hoc 
approaches commonly used in software engineering and development. 

While the AMAST goal is mainly research-oriented, the relevance of adequate mathematical 
education of software developers is recognized as well. In order to be effective in this direction, 
the first day of the third AMAST conference is dedicated to the aforementioned special interest 
topic. A summary of the opening talk by Hans-Jorg Kreowski and preliminary versions of the 
two invited papers, respectively by David L. Pamas and by Jacques Printz, are included in this 
proceedings. Yuri Gurevich and Istvan Nemeti are in charge of animating and moderating the 
discussion on education. 

As to the research-oriented contents of the proceeding, these consist of 8 invited papers and 
32 extended abstracts of selected communications. The selection was very severe, for a record of 
121 submissions were received; besides the selected communications, 14 other submissions were 
judged to deserve presentation, but could not be selected because of the programme constraints. 

The AMAST goal motivates the interest in showcaring software systems that are developed, 
or help development, by algebraic methods, techniques and tools. The AMAST*93 programme 
features seven demonstrations of such systems. Short descriptions of these systems form the 
closing part of this proceedings. 

While the geographical scope of AMAST has rapidly grown to encompass all continents, as 
one can see firom the contents of this proceedings, the fourth AMAST conference is expected to 
be held at Concordia University, Montr^, in June 1995. 

The financial and organizational support by the AMAST’93 sponsors is gladly acknowledged. 

We would like to thank Ms. Charlotte Bijron, Ms. Alice Hoogvliet-Haverkate, Ms. Joke 
Lammerink, and Ms. Yvonne Rokker for their excellent taking care of the conference secretariat. 

Finally, we owe special thanks to Yuri Gurevich for allowing us to open the proceedings with 
the text of the intriguing banquet speech which he delivered to the second AMAST meeting. 
Starting with his humour and finesse d’esprit will certainly set the third AMAST meeting in 
the best mood towards the accomplishment of its goals. 

AMAST’93 Organizing Committee 
Enschede, June 1993 
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AMAST*9S Sponaon 


Tbe AMAST*93 conference is made posaUe by the financial and organizational support of the following 
institutions: 

• Commission of the European Communities, within the ESPRIT Basic Research Programme 

• Office of Naval Research 

• University of Twente 

• University of Iowa 

• University of Stirling 

• Institnt National de Recherche en Informatique et Automatique (INRIA) 

• University of Paris VII, LITP 

• Concordia University, Montreal 

• University of Ottawa 

• University of Constantine 

• University of Madrid 

• Univertity of Chicago 


The AMAST’93 conference is hdd under the auspices and with the cooperation of the ftdlowing asso¬ 
ciations: 

• Eu»q>ean Association for Theoretical Computer Science (EATCS) 

• Association for Symbolic Logic (ASL) 

• British Computer Society/Eonnal Aspects of Computing Science (BCS/FACS) 

• ESPRIT Basic Research Working Groups COMPASS and ASMICS 


Cooperation is pending with the fcdlowing associa t ions: 

• Association for Computing Machinery (ACM), SIGACT and SIGSOFT 

• IEEE Computer Society 






Advance Progpramme 


Third International Conference 
on 

Algebraic Methodology and Software Technology, AMAST*93 
Univeraity of Twente, The Netherlands, June 21-25, 1993 

The goal df the third AMAST amierence to be held m Jnae 21-25, 1993, at the University of 
Twente, Enschede, The Netherlands, is to consolidate the trend towards nsing algebraic methodol¬ 
ogy as a foundation for software tecluudogy, and to show that universal algebra provides a practical 
mathematical alternative to the commcm, ad-hoc ^preaches to software engineering and devdopment. 
Academia and industry are both bencAciaries at such a formal foundation. 

To achieve the goal of the conference we aim to provide a forum in which leading researchers 
in mathematics, computer science, and srdtware devdopment, will come together to identify algebraic 
methodolopes that are ^>]dicable as viable alternatives to the present software devdcqtment approaches 
and to discuss the i4>propriateness <d such alternatives with a view to im]dementation. 


ESduention Day (Monday 21 June) 


While the AMAST goal is mainly research-oriented, the relevance of education is recognized as well. 
In particular, the adequacy of the mathematical education of designers, implementors, users and main- 
tainers of software artifacts, is recognized as being of special interest. The evaluation of, and the 
provision of recommendations about, the mathematical training of software devdopers is a necessary 
means to achieve that adequacy. In order to be effective in this direction, the first day of the conference 
will be dedicated to this special interest tojuc. This Education will start with an introductory talk 
by the Education Day Chairman, setting general objectives and guiddines, and proceed with two ses- 
siems; each session will have an Invited Speaker, talldng ab<mt mathematieal edveation of the toftware 
engineer, and a Session Moderator, controlling and animating the subsequent open discussion. 

As a prdiminary indication, the Education Day should aim at answering such qrestions as: 

• How do we educate software designers, implementors, users, maintainers? 

• What should be the ideal mathematical background of a software designer, implementor, etc.? 

• What do we need to add to the the conventkmal way of teaching mathematics to make it more 
acceptable, convenient, and useful to the software designer? 

The programme the first day of the conference is thus as follows: 


08:30-09:30 
09:3(M)9:45 
Education Day 
09:45-10:30 

10:30-1100 
Morning Session 
1100-11:45 

11:45-1300 
1300-1400 
Afternoon Session 
1400-15:15 

15:15-16:30 

16:30-1700 

1700- 


Begistratian 

AMAST’93 opening address 
Opening: 

IwviTED Talk : Hans-J^ Kreowski Univ. of Bremen, D 
Some tentative thoughts on teadting computer science 
Coffee break 

Modeeatoe : Yuri Gurevich Univ. cf hCchigan, Ann Arbor, USA 

Invited Talk: David Lorge Pamas McMaster Univ., Ontario, CDN 
Mathematics of computation for (software and other) engineers 
Discussion 
Lunch break 

Modeeatoe : Istvan Ndmeti Math. Inst., Acad. Sd., Budapest, H 

Invited Talk : Jacoues Prints Cons. Nat. des Arts et Metiers, Paris, F 

Mathematical training for (fie software devehppers: a practical experience 
Discussion 
Condnnons 

AMAST’93 welcoming reception 
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IXieMlay 33 June 
auwiiiiiS 

09:00-09:50 IwvlTED Talk: 

Hejnai Andieke , btvaa Nimeti k lldihi^ (Math. Inst., Acad. Sd., Budapest): 
Afjfifing algebraic logic to logic 
09:50-10:10 Coffee break 

Session : Algebraic metamatkematics (Cbair: William S. Hatcher) 

10:10-10:40 D. Pigoui, A. Salibra (Iowa SU, U. Bari): 

Dimension-eomplemented lambda-abatmction algebras 
10:40-11:10 T. Mosaakowski (U. Bremen): 

Parametrised recursion theory - A tool for the systematic classification of specification 
methods 

11:10-11:30 Coffee break 

Session : Extending functional languages (Chair: Chris Brink) 

11:30-12:00 T. Sheard (Oregon GIST): 

Adding algebraic methods to traditional functional languages by using reflection 
12:00-12:30 D. Bolignano, M. Debabi (Bull France): 

A coherent type inference system for a concurrent, functional and imperative programming 
language 

12:30-14K)0 Lunch break 
alternoon 

14KK1-14:50 INVITED Talk : 

Roger D. Maddux (Iowa State Univ., Dept. Math.): 

Relation algebras for reasoning about time, space, and programs 
14:50-15:10 Coffee break 

Session : Relation algebra (Chair: Don Piggeri) > 

15:10-15:40 C. Brink, K. Britz, R.A. Schmidt (U. Cape Town, MPI Saarbrucken): 

Peirce €dgebras 

15:40-16:10 R. Berghammer, A. Haeberer, G. Schmidt, P. Vdoao (UB Neubiberg, PUC Rio de Janeiro): 
Comparing two different approaches to products in obstruct relation algebras 

16:10-16:30 Tea break 

Session : Order-sorted algebra (Chair: Giancario Mauri) 

16:30-17dH) M. Erwig (FU Hagen): 

Spec^ying type systems with multi-level order-sorted algebra 
17:00-17:30 P. Thiemann (U. Tubingen): 

An overview of the SODA system 













evening 

19:30-20:30 System demonstrations 
21d)0-22:30 Concert (classic) 


vi 






Wednesday 23 June 


09:«H)9:50 IMVITED Talk: 

Michari Jahnann ud C.N.G. Dampney (Macqasrie Univ., Sydney): 

CaUgcrjf theory and information systenu engineering 
09:50-10:10 Coffee break 

Session : Category theory in eoftware engineering (Chair: Andrzej Thriecki) 

10:10-10:40 G. Hi]l (Imperial CcAege, London): 

Category theory for the configuration of complex eyatems 
10:40-11:10 M. Cerioli, G. Eeggio (U. Genova): 

Algehraic-OTKnted ingtitutiona 
11:10-11:30 Coffee break 

Session : Modular ayatem deaign (Chair: Egidio Astenano) 

ll:30-12d)0 M. Navarro, F. Orejas, A. Sanchez (UPV San Sebastian, UPC Barcdona): 

On the correetneaa of modular ayatema 
12:00-12:30 H. Ehrig, F. Parisi-Presicce (TU Beriin, U. L’Aqnila): 

Interaction between algebraic apecifieation grammara and modular ayatem deaign 
12:30-14d)0 Lunch break 

afternoon 

14d)0-14:50 Invited Talk: 

Steve Sch«eid«>r (Oxford Univ., PRG): 

Rigoroua apecifieation of real-time ayatema 
14:50-15:10 Coffee break 

Session : Bedtime ayatem apecifieation (Chair: Arthnr Fkck) 

15:10-15:40 R.K. Shyamasondar (TIFR Bombay): 

Specification of hybrid ayatema m CRP 
15:40-16:10 A. ComeQ, J. Knaack, A. Naagia, T. Rns (BYU Utah, U. Iowa): 

Real-time pr og ram ayntheaia from apecifieationa 
16:10-16:30 Tea break 

Session: Testing theory and applieationa (Chair: Christine Ch< 9 py) 

16:30-17dX) E. Brinksma (U. Twente): 

On the coverage of partial oalidationa 
17:00-17:30 K. Drira, P. Azema (LAAS Tbolonse): 

Vet^ying communication protooola via teating-projeetion 


evening 

19:30-20:30 System demonstrations 
21KX1- Snrprise event 



Thursday 34 June 

morning 

09:00-09:50 INVITED TALK : 

Bob J. vsn Glsbbeek (Stanford Uaiv., D^t. CS): 

Full abstraction and expresaivenesa in atruetural operational aemantica 
09:59-10:10 C<^6e break 

Session: Algebraie aemantica of concurrency (Chair: Irene Gnessarian) 

10:10-10:40 P. Malacaiia (LIENS Paris): 

Equivakneea of tranaition apatema in an algebraic framework 
10:40-11:10 E. Battistcn, V. Crespi, F. De Cindio, G. Maori (U. Milano): 

Semantics frameworka for a claaa of modular algebraie nets 
11:19-11:30 C<^ee break 

Session : Proceaa algebraa (Chair: Martin Wirnng) 
ll:39-12dH) D. de Fyotoe-Escrig (UC Madrid): 

A characterization of LOTOS repreaentrMe networka of parallel proeeaaea 
12:00-12:30 R. Gorrieti, M. Rocoetti (U. B<dogna): 

Towarda performance evaluation in proceaa algebraa 
12:30-14dK) Lonch break 

afternoon 

14:09-14:50 INVITED TALK : 

Nicolas Hal bemrbB. FhUenne Lagnier, Pascal Raymond (INPG Grenoble, Verimag Lab.): 
Synchronous observers and the verification of reactive agatema 
14:59-15:10 Coffee break 

Session : Modal logica and reactive agatema (Chair: Robert F.C. Walters) 

15:10-15:40 F. Laroasnnie, S. Pinchinat, Ph. Schnoebden (LIFIA-IMAG Grenoble): 

Tranalation reauHa for modal logica of reactive agatema 
15:40-16:10 LN. Kanfinan, S.L. Meira (UFPE Recife): 

Modal action logic in a practical apecification language 
16:10-16:30 Iba break 

Session : Deaign and refinement prineiplea (Chair: Peter D. Mosses) 

16:30-17.’00 A. Mokkedem, D. Mery (CRIN Nancy): 

On ruing a compoaition principle to deaign parallel programs 
17:00-17:30 N. Sabadini, S. Vigna, HLJ'.C. Walters (U. Milano, U. Sydney): 

A notion of refinement for automata 


evening 

17:30-18:30 System demonstrations 
19:00-23d)0 Conference diiuier 
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fWday 3S June 


morning 

09:00-09:50 IwviTED Talk; 

Hnbert Comon (Uaiv. Para Sad, LRI, Orsay): 

Corutrainta in term algebras 
09:5&-10:10 Coffw break 

Sessiow: Objed-^merOed design and programming, I (Cliair: Mohammed Bettaz) 

10:10-10:40 E.G. Wagner (IBM Yorktown Heights): 

The role of memory in object-based and object-oriented languages 
10:40-11:10 R. Brea, M. Brea (TU Mdnchen, Siemens Nixdorf Mdnchen): 

Abstract and concrete objects - An algebraic design method for object-based systems 
11:10-11:30 Coffee break 

Session : Object-oriented design and programming, //(Chair; Eric G. Wagner) 
ll:30-12dM) X.-M. La, T.S. DiUon (U TVobe U. Aastralia): 

Towards an algebraic theory of inheritance in object oriented programming 
12:00-12:30 M. Gogdla, L Clafien (TU Braunschweig, TU Berlin): 

An object-oriented design for the ACT ONE environment 
12:30-14K)0 Lonch break 

afternoon 

14:00-14:50 INVITED Talk : 

Roberto Giacobazzi and Giorgio Levi (Univ. Pisa, Dept. CS) and Saomya K. Debray 
(Univ. Ariscma, Dept. CS): 

Joining tdtstraet and concrete eonymtations m constmint logic progmmming 
14:50-15:10 Coffee break 

Session : Eguational and logic programming (Chair: Michd Kdoit) 

15:10-15:40 J.G. Martin, J J. Moreno-Navarro (UP Madrid): 

A formal definition of an abstract Prolog compiler 
15:40-16:10 V. Antimirov, A. Degtyarev (C<q>enhagen U. (DIKU), Kiev U.): 

Completeness of eguational definitions over predefined algebras 
16:10-16:30 Tea break 

Session : Algebraic specification in software engineering (Chair: R. K. Shyamasnndar) 

16:30-17K)0 G.J. Loegd, C.V. Ravishankar (U. Mchigan): 

An algebraic approadt to modeling in object-oriented software engineering 
17:00-17:30 EA. Scott (U. Sorrey): 

An automated proof of the correctness of a compiling specification 
17:30- Cloeing 

evening 

22 : 00 - 


live mask in all pnbs in Enschede. 



AMAST’91 Banquet Talk 





Yuri Gurevich 




May 1991, Iowa City 



Prologue 

Tuesday, May 7,1991. I sign the last grade sheet and smile at the spring sun. Finally the 
semester is over. A message from Tho Rus arrives. ‘‘The second conference on Algebraic 
Methodology and Software Technology needs a banquet speaker”, writes Teo. I am very 
flattered. And scared. I recall a recent banquet talk in Ann Arbor. The man went on 
and on. I left befmre he finished. On the other hand, the invitation is a challenge and an 
opp<^unity. Yon know, sometimes we fed like philosophers if only anybody would listen. 
I accept the invitaticm befne the scare gets a hdd of me. 

I leave my ofilce and meet Kevin Compton, another member of the small computer 
theory group in our huge Department of Electrical Engineering and Computer Science. 
“How are 3 ron?” asks Kevin. “Wdl, I was fine only a few minutes ago”, and I tdl bim about 
the invitation to give a banquet talk. “I do not envy yon”, says Kevin. Soon a message from 
him tdls me about 5 books on puUic speaking in the library. I thumb the books. They 
have witty things on almost any subject, but do not mention algebra or software, let alone 
algebraic methodology and software technology. The volumes of humor are depresung. This 
is not it. Teo could find a professional joker to entertain the conference. At that time in 
Iowa it could be a national pditidan. 

After thinking it over, I decide to take a scientific approach and write a schcdarly paper. 
You know, another p^>er never hurts your vita. The sdentific approach explains the use of 
“we” in the sequel. 


The AMAST Phenomenon 

The organizing principles are given by the fdlowing observation attributed to Don Knuth: 
The two most important questions about AI are: What is A and what is I? 

What is the question complexity of AMAST? There are 5 letters in the word, but A 
appears twice. A closer examination reveals that there are only 3 questions: 

(1) What is algebraic methodology? 

(2) What is software techndogy? 

(3) What does AND mean in the AMAST context? 

The third question is the toughest of the three. 

Algebraic methodology 

According to Webster, methoddogy is “a system of methods, as in any science”. Thus, 
algebraic methoddogy is a system of methods em]doyed in algebra. Makes sense. 
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You may wonder bow algebraic methodology is different from algebra. In algebra you 
search for definitions to formalize your theorems; in algebraic methodology you search, for 
theorems to justify your definitions. It is clear that ^algebraic methodolog)'” sounds better 
on a grant proposal; it implies also some connection to applications. 

Some f<^s ridicule the division of algebra or anything else into pure and applied. ^Con- 
uder painting”, they say, ‘if your paintings are bought by museums then you are a pure 
artist, and if your paintings are sdd in a supermarket then you are an applied artist. But 
what if you intended to sell your paintings in a supermarket and a museum bought them? 
Are you a pure or applied artist?” We say: where do you find those clever folks? They all 
are in departments like Pure Mathematics or Physics. The distinction between pure and 
applied science is very important. How would DARPA know whom to support? 

What is algebra? 

It is clear that algebra is the essence of algebraic methodology. So let us examine what 
algebra is. Etymology often is a key to the meaning. We asked a few of our learned 
colleagues about the etymology of “algebra” and then consulted Webster. It turns out that 
folklore and Webster disagree on the etymology of “algebra”. 

Fcdklore: “algebra” as well as “algorithm” come from the name Al-Khowarazmi of a 9th 
century mathematician. 

Webster: “algebra” comes from Arabic “al-jabr” wliich means the reunion of broken 
parts. 

The folklore explanation would be more useful to us because it connects AM with ST 
in a very natural way. Nevertheless, being committed to a scholarly approach, we adapt 
Webster’s explanation as more scientific and will try to find a good use for it as well. 

Is algebra a part of mathematics? 

Yes and no. 

Wh> yes? This is obvious and well documented; see (Jane Doe], [Robert Roe], [John 
Smith]. 

Why no? We give 2 proofs: By contradiction and by authority. These proofs are 
specially designed to work on banquets, after a good meal with plenty of wine and before 
the dessert. 

The proof by contradiction. If algebra is a part of mathematics then mathematics is 
broken into parts. The reunion of broken parts is algebra. Thus algebra = mathematics, 
which is not true. 

The proof by authority. The famous Communist prophet Vladimir Hich Lenin spoke 
about the algebra of social revcdution. This places algebra into a different cdlege, let alone 
a different department. 

Is “yes and no” a legitimate answer? Sure. Since “AM amd ST” is a legitimate title, 
“yes and no” is a legitimate answer. The question of what “yes and no” means will be 
discussed later on when we come to the second A of AMAST. 

Algebra and logic 

Logic methodology has been used in AMAST talks as much as algebrmc methodology. This 
is not surprising. Algebra and logic are like Michigan and Ohio. Do you know that there 
was a war between Michigan and Ohio? It was about Tcdedo. You may think that each 




aide wmatcd the other oae to have Toledo, but this is not true. Each side wanted Toledo for 
itself. The federal government intervened and gave Tcdedo to Ohio. This explains the faipous 
Michigan slogan OH-HOW-l-HAT&OHIO-SlATE. F\irther, the federal government gave a 
portion of Wisconsin to Michigan. This is how Michigan becsmie topologically disconnected. 
The reaction of Wisconsin is not documented. 

The Tcdedo of algebra and lope is called “universal algebra” in algebra and “model 
theory” in logic. Maybe, Iran/Iraq is a better analogy because each side has its own name 
for the disputed part: Persian Gulf vs. Arabian Sea. 

In any case, algebra and logic have a large intersection as witnessed by numerous 
AMAST talks. However we have 

Theorem 1 Algebra ^ Logic. 

Proof The proof is by contradiction and rdated to the Russian journal “Algebra and 
Logic”. It would be silly to have a journal “Algebra and Algebra”, and the Russian Academy 
would not approve such a thing. □ 

Logics 

There are many logics in the literature. Female lo^c, male logic, email logic, dialectical 
logic, mathematical logic, etc. 

Male logic is all too known to be discussed here. 

Email logic is all too painful to be discussed here. 

Female logic is all too dangerous to be discussed here. The field of AMAST is dangerous 
as it is. As a matter of fact, we are gang to discuss the dangers of the field. But there are 
prudent limits to risks taken. 

Dialectical I 09 C is sort of an art of being lopcal and illo^cal at the same time. In 
the SU (which means Soviet Union and is quite different from US; concatenation is not 
commutative), logic was divided into dialectical and formal. The first was always supported, 
the second was forbidden for years. Why? This is a wrong question, it is a question fr^m 
a wrong lo^cal system. A Soviet disadent logician E^senin-Vefipin divided formal logical 
systems into two classes: democratic and totalitarian. In a democratic system, the rules tell 
you what is forbidden. By default, the rest is allowed. In a totalitarian system, the rules tell 
you what is allowed. By default, the rest is forbidden. (For those of you who understand 
only the language of cat^ories, democratic and totalitarian systems are the final and initial 
objects of the 3 q>propriate category.) You wouldn’t ask why Mr. A had not been allowed to 
go abroad. This would be a wrong question. You might ask why Mr. B had been allowed 
to go? That should have a good reason. For example, Mr. B might work for the secret 
p<fiice. Now you can see why the question “Why was formal logic forbidden?” is a wrong 
one. (Actually, they had a “reason” to forbid formal logic: the connection to philosophical 
positivism. Is positivism so exceptionally bad? Not necessarily. But it is certainly different 
from dialectical materialism, the only true philosophy.) 

In the rest of this talk, lo^c means mathematical I 09 C. 

What is software tedinology? 

This question is easy. We all know what hardware techndogy is. S(fftware technology is 
the direct opposite of hardware, except it is a little harder. 
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Boom and i^oom. Software technology U booming, bat it goes through a severe crius as 
well: reliability, compatibility, veriAabUity, etc. You name it. Some hackers do not realize 
that. They hi^pily hack and change our world. They should be explained to that there is 
a severe crisis out there. The poor devils badly need guidance and organizing principles. 
This is where AMAST comes in. 

What does “i AND y” meam? 

The third question about AMAST was about the AND of AMAST. We stumbled also upon 
the meaning of *^06 and no”. Let us generalize and condder a more general question: what 
does "z and y” mean where z, y are arbitrary things (not statements)? Our discussions 
with learned coUeagnes turned up a couple of possible answers. 

(1) The set {x,y}. This answer may be blatantly wrong. AM and ST = AMAST which 
isn’t a set of two dements. The organizing committee, all by itself, has more than two 
elements. 

(2) The fact that the intersection of z and y is nonempty. That sounds a little more 
omvincing, but cannot be quite right because z and y are not necessarily sets. 

Notice that in both answers, AND is commutative, which is not true in general. It is 
wdl known for example that the Communist founders are Karl Marx anr' Ftiedrich Engels, 
not i^edrich Elngds and Karl Marx.^ 

(3) “z vs. y”. This third answer is not necessarily true as well. For example, the relations 
between AM and ST are not adversarial; AM loves ST, and ST couldn’t care less about 
AM. 


One hazard of the trade: wrong abstraction level 

It is clear by now that we overabstracted our third question. A wrong abstraction level is 
one of the greatest hazards of our trade. 

If the abstraction levd is too low, you have too many details. There are no theorems to 
prove or apply. 

If yon abstract too much, you may find yourself in a sterile atmosphere with no theorems 
(wdl, with only shallow theorems) to prove. Altemativdy, this may be a delightful trap. 
You may find yoursdf in a very fertile atmosphere with numerous attractive theorems but 
this could be a problem too, because you may lose sight of the original question. For 
example, we find it very tempting to proceed with the investigation of the meaning of ‘’x 
and y” in its full generality. 

It may be in the eye of the behcdder whether you abstract too much or not. For example, 
define programs equivalent if they compute the same thing, and find yoursdf in a ddightful 
world of logic. Play with lambda calculus and t}rpe8. (Didn’t you really want to be a 
logician?) Ignore those silly programs that do not behave properly. The Unix kernel, for 
example. What does it compute? Nothing. It doesn’t even converge. Modulo some side 
effects, it is equivalent to a trivial infinite loop. 

What is the right levd of abstraction? This is the art of our science. That is what 
AMAST is all about. 

‘At tUi point duing tke talk, Vaogliaa Pratt said, "See Pans and die^. 
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So what does AND mean in the AMAST context? 


b it “motivated by”? There is a good precedent for this intwpretation. That is what AND 
often means in the famous phrase “logic and computer science”. We bdieve that “motivated 
by” isn't the main meaning in our case. As we mentioned above, there is an implication of 
[dedred] applicability in the phrase “algebraic methodology”, 
b it “applied to”? Hardly. 

The most impropriate meaning seems to be: To be applied to [indirectly][eventually]. 
In other words, the meaning U “for”. 

Another delightful trap 

You dive into mathematics and ... never come back. Thb trap is similar to but different 
from the one we discussed earlier. 

fbr example, you write a book on Principles of Programming Languages. You have 
to give some fcmnal semantics, of course. Denotational semantics seems fun. It requires 
domain theory though, and domain theory requires iixed-pnnt theory. You explain all 
this carefully. The project goes along quite nicely. Suddenly, yon panic! You have to say 
something about programming languages as wdl. A real language, like C, would be too 
much detail and trouble, thb b obviously too low an abstraction level. Yon already gave the 
semantics of lambda calculus which b, all by itsdf, a programming language par excellence. 
How about the while language? Good. This should satisfy all those imperative freaks. 

More on the AND of AMAST 

There are of course other cases of “z and y” where AND means FOR. But there b something 
special about the AMAST use of AND. Consider, for example, the case when x = math and 
y = phyucs. Imagine you would like to apply some beautiful mathematics to some physics 
that does not quite fit your mathematics. What can you do? You can write science fiction 
but you cannot change the physical world. The situation b quite different if z = AM and y 
= ST. In principle, you can change ST. Why do they use those silly imperative languages 
that do not fit my mathematics? They would be much better off using functional languages 
or logic programming. 

i\iture researdi 

AMAST b in a business of changing the wortd of software technidogy. AMAST activities 
are hazardous, delightful and bleued with opportunities. They are approved and supported 
by the highest ofiices of the land like the Office of Naval Research. 

Theorem 2 AMAST is A MUST. 

Proof sketch At thb moment, we can only give a very preliminary sketch of our prtxff. 
The next AMAST will be in Eunqie. In one of the dialects of Europese, AND b UND. Thb 
accounts for the cmdal change of A to U. □ 

Acknowledgement I am greatly thankful to Neil Jones and Zoe Gurevich for patiently 
Ibtening to succesdve versicms of thb talk, for useful comments and for encouragement. 
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Some tentative thoughts on teaching computer science 
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1. Most of the students of today will be among the scientists, engineers, tech¬ 
nologists, managers, teachers, politicians, etc. of the next 30 to 40 years. Hence 
teaching in universities in general and teaching computer science in particular are 
challenging tasks with high responsibility. What students learn, know and think 
and how they deal with it may form them to a good part and, in this way, may 
influence the future of science, technology, economy, politics, society, etc. I fear 
that not all university teachers are aware of this responsibility. 

2. Teaching can be a hard job, in particular, if the teacher stands in front of an 
audience of 50,100 or 500 students and has got only a vague idea of the levels of 
knowledge, motivation, interest and ability present. Frustration is not stirprising 
under such circumstances, and enthusiasm seems to be wasted. Although the 
situation of teaching in universities needs a revisition (at least in Germany), there 
is still the chance of success from time to time because students acknowl^ge the 
effort of teachers as far as I can see. Teachers must try. 

3. Clearly, teaching is much more than the repetition of knowledge found in 
books. Knowledge is only the basic material that needs proper combination, inter¬ 
pretation, cross references and, above all, the teacher's personal comments and 
views. The aim of teaching is not just to lecture on important matters to passive 
listeners, but to raise the students' interest, motivation and ability to play with, to 
work on, to think about and to understand the matter at hand actively and in 
their own fashion. University teachers must be good scientists and good 
animators. 

4. Computer science is an engineering and scientific field in an embryonic state 
that is rooted in mathematics and electrical engineering. It is assumed to provide 
key technologies for the future development of economy and society (at least in 
the well-devdoped countries). The outcome of computer science is changing the 
work and life of many people. Hence teaching computer science must reflect the 
whole spectrum of relevant aspects from mathematics to social sciences. But how 
can this be achieved in an undeveloped field? A balance seems necessary between 
the well-understood basic matters of mathematics, engineering and social science 
useful in computer science and the urgent and actual questions that have got so 
weak and shallow answers up to now. But what is sufficient? 

5. The trouble with teaching theoretical computer science is a bit different. There 
is the wealth of mathematics one can employ. Tho’e are already some fairly well- 
developed theories on basic objects of interest in computer science. But most of 
the students (at least those I Imow) do not enjoy mathematics, are not able to 
understand it properly or do not try hard enough. Hence motivation is 
mandatory. Unfortunately, a successful motivation is not very helpful if students 
understand the value of theoretical computer science, but are still not able to 
understand the matter itself. 
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Mathematics of Computation for (Software and Other) Engineers 

David Large Pamas 
CoaunuBicatioM Researdi Laboratory 
Department of Etecliical and Oanpuier Eagiaeering 
McMi^ Univenity, Hamilton, Ontario, Canada L8S 4K1 


1 PrdfaahMry Provocatkm 

Tbe title of this paper implies that Software Engineers are Engineers, i.e. that “software” plays 
the same role in their title that “Electrical”, “Mechanicai” or “Chemical” play in the titles of other 
engineering specialities. This, in itself, would seem to be a controversial statement, since it 
suggests that the model for software engineering education should be engineering education, not 
science education or mathematical education. That is my opinion, and one of the assumptions 
underlying this paper, but it is not the subject of this paper. 

I like the term, “mathematical engineer”, which I am told is used by some Dutch Ibchnical 
Universities for software engineering. It seems to me that, just as certain areas of Electrical 
Physics comprise the basic knowledge of an Electrical Engineer, certain areas of mathematics, 
which includes (in my opinion) the most substantive areas of Computer Science, should be the 
basic knowledge that characterises software engineering. However, we should not forget that just 
as Chemical Engineers need to know much more than chemistry. Software Engineers will need to 
know more than Computer Science and Mathematics. Because we cannot teach them everything 
we think they should know, there might be some fundamental areas of Computer Science and 
Mathematics that we don’t have time to teach them. 

2 The rote of mathematics in engineering 

Those who do not have an engineering education themselves often fail to realise how much 
mathematics engineers learn. At my university, approximately 30% of an engineer’s education is 
devoted to things that are explicitly titled mathematics. There is a great deal of mathematics taught' 
in the specialised engineering courses as well. This is not atypical; it is often required by 
accreditation committees that control whether or not the graduates of a programme can easily be 
recognised as professional engineers. 

Mathematics can be said tr be one of the things that differentiate professional engineers from 
technicians. A major emphasis in engineering education is the concept of professional 
responsibility. An Engineer is taught from her first day at University, that her imxlucts must be “fit 
for use”. Engineering students learn that they cannot trust their intuition and “eyeballing” to be 
sure that a product is “fit for use”. Their education is, in great part, devoted to learning how to do 
both mathmatical analysis, and carefully planned te^ng, of their proposed designs. They also 
learn to accept, as ccmi^etely normal, the fact that their work will be subject to careful analysis 
and criticism, often ba^ on mathematical analysis, by others. My own engineering education 
included approximately as much mathematics as would have been ^en by a mathematics major 
and, at my alma mater, nuuiy of the courses were taken together with the mathematics majors. 
Regrettably, it is comnuMi to find special engineering mathematics courses, and to find that the 
mathematics professors who leach those courses assume that they are teaching people whose 
intellectual level is not as high as that of mathematicians. Having taught both, 1 do not see 
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differences in ability, but I do see differences between the viewpoints of engineering students, and 
those of students majoring in mathematics or science. 

Although engineers study a lot of mathematics, an engineer’s view of mathematics is 
substantially different from that of mathematicians. Roughly put, engineers can take a lot for 
granted. Because their use of mathematics is always for the Ascription and analysis of some 
physical product, they simply assume that functions have the properties that all functions 
describing physical products must have. They often do not bother to state those assumptions 
explicitly. Tliis appears sloppy to many “formalists”. In most cases, the mathematics is peifectly 
sound if one adds the assumptions explicitly in an environmental declaration. Because engin^rs 
are working in situations where it is clear which symbols in their equations are variables and what 
they represent, they do not see a need for explicit mathematical notations such as the lambda 
notation. Because they always know the range of values for their variables, and they know what 
they are trying to compute, they see little need for the quantifiers, type, and signature declarations 
that logicians demand of their colleagues. Whereas mathematicians are primarily interested in 
deep theorems and general properties of classes of expressions, engineers are often concerned 
with “junk” theorems and detailed analyses of special cases. In such situations the complex and 
careful habits of logicians seem quite unworkable and there is always a gap between a 
mathematician’s treatment of a subject and that of an engineer who uses the same fundamental 
mathematics. What one chooses to record explicitly, the other tends to assume without much 
discussion. Those interested in exploring such issues furtha, should look at some of the writings 
of N.G de Bruijn and his students who had to pay a lot of attention to the “short-cuts” used by 
working mathematicians and engineers when they were developing their “Automath” system. [6] 

It must also be recognised that the mathematics is often implicit, rather than explicit, in 
engineering notations. When an electrical engineer notes the inductance, resistance, and 
capacitance of a component, she knows that these are the parameters for a set of differential 
equations, but those equations are not always written down, just used when necessary. Again, we 
see that engineering notations take things for granted than a mathematician would want to see 
stated explicitly. 

These remarks lead me to a pair of preliminary conclusions: 

* Engineers, whether software or otherwise, can be expected to make extensive use of math¬ 
ematics in the analysis of their products, including programs. Those who refuse to do so. 
are technicians, not engineers. 

« M^en we develop mathematical methods for use by engineers, we need to respect the tradi¬ 
tional differences between engineering mathematics and the type of mathematics promoted 
by “formalists” or logicians in the style of Hilbert. If we don’t, we will be unnecessarily 
frustrated and quite ineffective.; 

3 The nde of programming in engiiieerii^ 

When 1 was an undergraduate, programming courses were optional. Moreover, no academic 
credit was given for them. The computer was considered to be a slightly enhanced version of the 
mechanical calculator. There was no more thought of including a computer course in the 
curriculum than we would think of including a course on the Marchand calculators that filled 
some laboratories, or a course on the slide-rules that many of us carried on our belts. It was 
expected that we would learn to use these “tools of our trade” on our own, or in non-credit 
courses. Programming was considered to be a simple mechanical task, “laying down 
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instructions”, akin to wiring, up a circuit. Many engineers at that time had never taken a course in 
programming. When we began to offer the first credit couise in programming at Carnegie Tech, 
there were many who feared that it would not have intellectual content analogous to a physics or 
calculus course. The Computer Science Department had to promise that they would not simply 
teach a programming language, but would teach something d^per and more lasting. 

Today, things have changed - both for the better and for the worse. There is no longer any 
question about whether or not an engineer should have courses in programming. The computer, 
and software are now ubiquitous in engineering. Many engineering products include computers 
and software; many others are designed and analysed using computers. Hardly a week passes in 
which we do not hear some anecdote about the failure of an engineering product being caused 
either by the software contained in it or by an error in the software used to design it. Since people 
rarely talk loudly about their failures, we can assume that the anecdotes are just the “tip of the 
iceberg”. Nobody questions the need for engineers to be good programmers and good at 
evaluating the software that they use. 

However, there is something else that nobody questions any more: they do not question the 
intellectual content of many engineering courses in computing. Nobody asks whether the 
intellectual content of these courses is comparable to that of other math or science courses. 
Perhaps the question is not asked because the answer would be embarrassing. The typical course 
simply teaches a programming language, an artifact designed by one or more human beings. Most 
of the time is spent on things that are not mathematical truths, or even lasting truths; they are just 
design decisions by (often not very good) language designers. The courses are exactly equivalent 
to teaching about a particular calculator, including the location of its buttons, how to turn it on, 
how to change the display, etc. Many of these courses teach almost the same artifacts that were 
taught 30 years ago, but that is not the real problem, llie real problem is that the subject of the 
course is the artifact You can always tell that something is wrong when there is a big debate about 
which artifact to teach about The situation is analogous to changing the lectures of a course on 
electrical circuit theory because we acquired new oscilloscopes. Another sure sign that something 
is wrong comes when someone defends a course by saying that they just introduced a new artifact. 

We must also recognise another difference between engineering education and the education 
of scientists and mathematicians. In engineering schools there is a major emphasis on design. We 
are required by our accreditation committees to identify a large part of our curriculum as design. 
Design and analysis can be understood as complementary skills. Design is inherently creative and 
all that we can teach are heuristics, things that don’t always work. Consequently, solid, disciplined 
analysis is necessary. The mathematics is taught as part of the analysis component of these 
courses, not the design. This is in sharp contrast to the attitudes taken by another famous 
Dutchman in our field. E. W. Dijkstra, and his followers, like to talk about mathematical 
derivations of programs from specifications. This is not the attitude taken in other areas of 
engineering. D^ign is recognis^ as a very creative task, in which mathematics and science 
provide essential inputs, but the primary role of the mathematics comes in the documentation and 
validation of the design. Program derivation from requirements appears analogous to deriving a 
bridge from a description of the river and the expected traffic. Refining a formal specification to a 
program would appear to be like refining a blueprint to a produce a bridge. Engineers always 
make a distinction between the product and the description of it. This seems to be lost in the 
computer science literature on programming and software engineering. 

Those who chose engineering as a career path are often people with fairly a pragmatic view of 
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life. They appreciate mathematics that is simple and elegant but they want frequent assurance that 
the >ni.Jtematics is useful. It is important to show them he., to use a i. athematical concept, not 
simply to teach them the definitions and theorems. In engineering mathematics the emphasis has 
always been more on application of theorems than on {voofs. 

4 The mathematics needed for professional programming 

1 have recently taught a new course for first year engineers of all specialities. It replaced a 
course that could have been taught 30 years ago. I made two major changes: 

* A large part of the course taught the basic mathematics behind programming with emphasis 
on the use of mathematics to describe what a program does, or must do, without giving an 
algorithm. All programming assignments were expressed as mathematical specifications. 

* It was made very clear that the language was ooi the subject of the course. Students were 
given a choice of two programming languages that could be used in the laboratories. IXvo 
of the three lectures per week were taught in an algorithmic notation based on Dijkstra’s 
guarded commands. The third, “laboratory”, lecture taught a “real” language. 

The course emphasised both the creative steps in programming and the analytical steps needed 
to confirm that one had not just created a monster. 

The remainder of this section describes the mathematical contents of that course and how we 
used the mathematics to teach programming. 

4.1 Finite State Machines 

The first step in getting students to take a professional approach to programming is to get rid 
of the “giant brain” and “obedient servant” views of a computer. It is essential that students see 
computers as purely mechanical devices, capable of mathematical description. Students are taught 
that “remembering” or “storing” data is just a state-change, and taught to analyse simple finite 
state machines to “show” that they accomplish simple recognising tasks. The Moore-Mealy model 
is used. 

4J Sets, ftincthms, relations, compodthm 

We present the basics of a naive set theory in which ail sets consist of a finite number of 
elements from previously defined universes. We present the concept of relations (functions) as 
sets, and the operation of union, intersection, negation and functional (relational) composition. It 
is important to present the students with examples of the use of these concepts and exercises in the 
use. We want the students to know far more than the definitions and the algebraic laws; we ask 
them to apply the concepts to provide precise models of real-world situations. We show how the 
state machines that they learned about can be described by a pair of mathematical relations. 

4J Mathematical Logic based on finite sets 

In the first two sections, finite state machines, and sets have been kept not just finite, but small, 
so that they could all be described by enumeration. The next step is to point out that these are 
unrealistically small sets, that we cannot afford to describe most sets by enumeration, and that we 
must be able to make general statements about classes of states. We then introduce an 
interpretation of classical predicate logic in which all expression denotations are finite sets and we 
show fiiem how to use predicate calculus to characterise sets, including functions and relations. 
The logic that we use allows partial functions (defining all primitive predicates on undefined 
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values to be it is important to provide numerous examples in which the students use 

predicate logic to characterise the states of something real. Anays (viewed as partial functions) 
provide a rich source of examples such as, “Write a predicate that is true if array A contains a 
palindrome of length 3.” Again, it is important to show the use of the mathematics to say 
important things about programs, and to teach them to uas, as contrasted to prove theorems about, 
logic. The interpretation of logic that we use is described in [1]. 

4.4 Prograois as‘initial states” 

We provide a brief, and unconventional, view of programming as picking the initial state of a 
finite state machine. This is necessary when one wants explain such concepts as table driven 
programs, interpreters, etc. At this point, I point out von Neumann’s chief insight (in the area of 
computer design), the interchangeability of program and data. 

4J Programs as dcscrlptloiis of state>8eqiiences 

We then give a more conventional view of programs as descriptions of a sequence of state 
changes. Each program, given an initial state, describes one or more sequences of state changes. 
This concept is presented abstractly, we do not give any programming language notation for 
describing ^e sequences. 

4.6 Programs as ftmctkms from starting-state to stopping-^te 

After pointing out that programs can be characterised as either terminating or non-terminating 
we indicate that this first course focuses on programs that are intentted to terminate after 
computing some useful values. We then show that the most important characteristics of programs 
can be described by a mathematical relation between the starting-states and the sto^iing states. 
The exact model used, LD-relations, is described in [2] or [3]. Here too, it is essential to provide 
examples in which the students use relations to de^be distinct sets of sequences that are 
equivalent in the sense of having the same set of (start-state, final-state) pairs. 

4.7 Tabular descriptions of ftinctions and relatioiis. 

We extend the notation of predicate calculus by introducing 2-dimensional tableaux, which we 
call simply tables, whose entries are predicate expressions or terms. We show that these are 
equivalent to more conventional notation, but easier to read. Students are given many examples in 
which we describe mathematical functions using these tables [7] 

4.8 Teaciiing programming wtth this mathematical background. 

The remainder of the course is devoted to teaching students to program. All programs are 
introduced, not with a natural language description, but with a mathematical description of the 
required behaviour. The simple programming notation that is used (essentially that in [3]) is 
defined using the mathematical concepts above. We begin with very simple programs and 
continue, always using the same discipline to cover more complex engineering problems. 
Homework assignments are given using the tabular notation. Students are shown how to 
systematically determine if a program in this notation covers all cases and does the right thing in 
each case. Although, we never talk of “correctness proofs” we do use correctness concepts to 
explain a program. For example, we usually identify an “invariant” when explaining a loop, and 
use a monotonically decreasing quantity to convince students that a program will terminate. 
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5 The mathcnuitics needed for software en^ncering 

For many years I have taught courses entitled “Software Engineering” usually to students in 
the third or fourth year of university. Although the course has a significant design and pragmatic 
content, it has also been necessary to teach some mathematical concepts. Generally, Computer 
Science students have inadequate mathematical preparation for the course; they have learned too 
much theoretical computer science and too little atout fundamental mathematics. However, the 
preparation of my Computer Engineering students seems even worse. They have had lots of 
mathematics, but the wrong mathematics. In this section, I will describe the mathematical basis of 
my software engineering class. The class covers the “standard” software engineering topics and 
students are askt I to do practical exercises, but the basic message is that they must produce a 
sequence of documents whose contents must be representations of key mathematical functions. 
The approach is basically that in [4]. To get maximum benefit from the course, students should 
already be familiar with the concepts described in the previous section. Usually, they have not had 
the necessary exposure, and much of the course must be devoted to mathematics. 

5.1 How on we document system requirements? 

A critical step in documenting the requirements of a computer system is the identification of 
the environmental quantities to be measured or controlled and the representation of those 
quantities by mathematical variables. The environmental quantities include: physical properties 
(such as temperatures and pressures), the readings on user-visible displays, administrative 
information, (such as the number of people assigned to a given task), and even the wishes of a 
human user. These must be denoted by mathematical variables in the way that is usual in 
engineering. That association must be carefully defined, coordinate systems, signs etc. must be 
unambiguously stated. 

It is useful to characterise each environmental quantity as either monitored, controlled, or 
both. Monitored quantities are those that the user wants the system to measure. ControHed 
quantities are those whose values the system is intended to control. If needed, time can be treated 
as a monitored quantity. In the sequel, we will use “iwi”, •••• denote the monitored 

quantities, and “ci”, “C2”,..., to denote the controlled ones. Because it is often the case that a 
system is intended to both monitor and control certain quantities, these lists might have variables 
in common. 

Each of these environmental quantities has a value that can be recorded as a function of time. 
When we denote a given environmental quantity by “v”, we will denote the time-function 
describing its value by “v'”. Note that v' is a mathematical function whose domain consists of real 
numbers; its value at time t is denoted by “v'(i)”. 

The vector of time-function (m', m'j...., mp containing one element for each of the monitored 
quantities, will be denoted by similarly (c',,cy will be denoted by 

5.1.1 RelatkmNAT 

The environment, i.e. nature and previously installed systems, place constraints on the values 
of environmental quantities. These restrictions may be documented by means of a relation, which 
we call NAT. It is defined as follows: 

• domain(NAT) is a set of vectors of time-functions containing only the instances of m' al¬ 
lowed by the environmental constraints. 
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• range(NAT) is a set of vectors of time-functions containing only the instances of ^ allowed 
by the environmental constraints, 

• (m'.c') € NAT if and only if the environmental constraints allow the controlled quantities 
to take on the values described by when the values of the monitored quantities are de¬ 
scribed by m‘. 

NAT is not always a function; if NAT is a function the computer system will not be able to 
vary the values of the controlled quantities without effecting changes in the monitored quantities. 

5.1 J RdatkMi REQ 

The computer system is intended to impose further constraints on the environmental quanti¬ 
ties. The permitted values may be documented by means of a relation, which we call REQ. It is 
defined as follows: 

• domain(REQ) is a set of vectors of time-functions containing the instances of m' allowed 
by environmental constraints, 

• range(REQ) is a set of vectors of time-functions containing only those instances of c' con¬ 
sidered permissible, 

• (m'. f') G REQ if and only if the computer system may permit the controlled quantities to 
take on the values described by when the values of the monitored quantities are de¬ 
scribed by m'. 

REQ is usually not a function because the application can tolerate “small” errors in the values 
of controlled quantities. 

5.U Reqairemcnts fSeasibility 

Because the requirements should specify behaviour for all cases that can arise, it should be true 
that, 

(1) domain(NAT) ^ domain(REQ). 

The relation REQ can be considered feasible with respect to NAT if (1) holds and 

(2) domain(REQ O NAT) = (domain(REQ) H domain(NAT)). 

Feasibility, in the above sense, means that nature (as ctescribed by NAT) allows the required 
behaviour (as described by REQ); it does not mean that the functions involved are computable or 
that an implementation is {Hectical. 

Note ''at (1) and (2) can be reduced to: 

(3) domain(REQ H NAT) = domain(NAT). 

S2 How can we document system design? 

During the system design two additional sets of variables are introduced: one represents the 
inputs, quantities that can be read by the computers in the system; the other represents the outputs, 
quantities whose values are set by the computers in question. These variables are associated with 
input and output registers on the computers in the system; their values will also be described by 
time-functions. 

In the sequel we assume that m' and ^ are defined as in Section 4.2. 
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5J.1 RdatioalN 

Let “i'” denote the vector {i\. i'j..... i‘,) containing one element for each of the input registers. 
The physical interpretation of the inputs can be specified by a relation IN, defined as follows: 

• domain(lN) is a set of vectors of time-functions containing the possible instances of m', 

• range(IN) is a set of vectors of time-functions containing the possible instances of i', 

• (m'. i') E IN if and only if /' describes possible values of the inputs when m' describes the 
values of the monitored quantities. 

IN describes the behaviour of the input devices. It is a relation rather than a function because 
of imprecision in the measurements. It must be the case that, 

domain(NAT) £ domain(IN), 

because the input device must transmit some value for every condition that can occur in nature. 
5,2,2 RebUonOUT 

Let “ o'” denote the vector (o', o'j,.... o') containing one element for each of the output regis¬ 
ters. The effects of the outputs can be specified by a relation OUT, defined as follows: 

• domain(OUT) is a set of vectors of time-functions containing the possible instances of o', 

• range(OUT) is a set of vectors of time-functions containing the possible instances of c', 

• (o', c*) E OUT if and only if c* describes possible values of the controlled quantities when 
o' describes the values of the ouqiut quantities. 

OUT describes the behaviour of the output devices. It is a relation rather than a function be¬ 
cause of device imperfections. 

5,3 How can we document software requirements? 

The software requirements are determined by the system design document and the system re¬ 
quirements document. As mentioned earlier, the software requirements document can be seen as a 
combination of those two documents. It would contain the relations NAT, REQ, IN, and OUT. 

In the sequel we assume that REQ is feasible with respect to NAT, and that m', c‘, ij and o' are 
defined as in previous sections. 

5J,1 RebtkmSOF 

The software will provide a system with input-output behaviour that can be described by a re¬ 
lation, which we call SOF. It is defined as follows: 

• domain(SOF) is a set of vectors of time-functions containing the possible instances of i', 

• range(SOF) is a set of vectors of time-functions containing the possible instances of o', 

• ({', o') E SOF if and only if the software could produce values described by o' when the in¬ 
puts are described by i'. 

SOF will be a function if the software is deterministic. 

5JJ Software acceptability 

For the software to be acceptable, SOF must satisfy^: 
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(1) Vi' Vp' Vc'[IN(«'./')ASOF(i'.pO*OUT(p'.cOANAT{?i'.cO-*REO(*i‘.cO] 

Note, that if one or more of the indicates lN(»i',i'), OUT(p'.c'), or NAT(iii',c') are false, then 
any software behaviour will be considered acceptable. For example, if a given value of m' is not in 
the domain of IN, the behaviour of acceptable software in that case is not constrained by (1). 

If we assume that relations REQ, IN, OUT, and SOF are functions, we can use functional no¬ 
tation to rewrite (2) as follows: 

(la) Vjii'[iii'e«kjiMin(NAT)-* (REQ(ji') - OUT(SOF(tN(m'))))] 

The writers of the requirements document must describe the relations NAT, REQ, IN, OUT. 
The implementors determine SOF and verify (1) or (la). A document of this type may require nat¬ 
ural language in the description of the environmental quantities, but can otherwise be precise and 
mathematical. The use of natural language in the definition of the physical interpretation of math¬ 
ematical variables is unavoidable and quite usual in engineering. 

5.4 How can we document software behavioiir? 

Although the software requirements document fully represents the requirements that the soft¬ 
ware must meet, it may allow observable differences in tehaviour. It will often be desirable to 
specify a subset of the behaviours allowed by the requirements document for actual implementa¬ 
tion. In this way designers will make certain decisions that might otherwise have been left for the 
programmers. The relation SOF can be described in a separate document known as the software 
behaviour specification. This document is especially important for multiple-computer systems be¬ 
cause it will define the allocation of tasks to the individual computers in the system. For computer 
networks, or multi-processor architectures one may see a hierarchy of software behaviour specifi¬ 
cations with an upper level document assigning duties to a group of computers, and the lower lev¬ 
el documents detailing the responsibilities of smaller groups of computers. The lowest level 
documents would describe the behaviour of software for individual computers. 

5 J How can we document black-box module interfaces? 

Most modem computer systems require software of such size and complexity that it cannot be 
completed by a single person in a few weeks. For many reasons it is desirable to decompose the 
software constmetion task into a set of smaller programming assignments. Each assignment is to 
produce a group of programs (cf. Section 4.8) whi^ we call a module. We view each module as 
implementing one or more finite state machines, frequently called objects or variables. A descrip¬ 
tion of the module interface is a black-box description of these objects. 

Writing software module interface specifications is similar to documenting software require¬ 
ments but some simplifications are possible. Many software modules are entirely internal; there 
are no environmental quantities to monitor or control and all communication can be by means of 
external invocation of the module’s programs. Moreover, die state set of a software module is fi¬ 
nite, and state transitions can be treated as discrete events. For most such modules, real-time can 
be neglected because only the sequence of events matters. This allows us to replace the general 
concept of time-function by a sequence describing the history in terms of discrete events; we call 
these sequences traces. 
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* In the following the universes from which m‘, o', ij and o' are drawn are assumed to include all vectors 
of tinre-functions. 
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Wb identify a finite subset of the set of possible traces, which we call canonical traces. Every 
trace is equivalent^ to a single canonical trace. Trace assertion specifications comprise three 
groups of relations: 

(1) Functions whose domain is a set of pairs (canonical trace, event) and whose range is a set of 
canonical traces. The pair ((7|,e), Tj) is in the function if and only if the canonical trace 7; is 
equivalent to the canonical trace 7, extended with “e”. These functions are known as trace ex¬ 
tension fiinctitms^. 

(2) Relations whose domain contains all the canonical traces and associate each canonical trace 
with a set of values of output variables. 

(3) Functions whose domain is the set of values of the output variables and whose values define 
the information returned by the module to the user of the module. 

5.6 How can we document internal module design? 

Each module has a private data structure and one or more programs. We propose to document 
the design sufficiently precisely that its correctness can be verified. The internal documentation of 
a module contains three types of information: 

(1) A complete description of the data structure, which may include objects implemented by oth¬ 
er modules. 

(2) A function, known as the abstraction function, whose domain is a set of pairs (object name, 
data state), and whose range is a set of canonical traces for objects created by the module. The 
pair {(on, ds), 7) is in this function if and only if a trace equivalent to 7 describes a sequence of 
events affecting the object named on that could have resulted in the data state ds. 

(3) An LD-relation [2,3], often referred to as the program function, specifying the behaviour of 
each of the module’s programs in terms of mappings from data states before the program exe¬ 
cution to data states after the execution 

6 Do we need new mathematics or merely new representations? 

There is something in the above that will be disturbing, perhaps even annoying, to many 
people. We have managed to make precise mathematical statements about software engineering 
using classical mathematical concepts. We have not used goy of the relatively new “specification 
languages”, which have been developed especially for software engineering applications. We 
have even been able to talk about the real-time characteristics of systems without introducing any 
changes in our logic for that purpose; we have dealt with real-time using the traditional 
engineering approach, the use of functions whose range and domain are taken fiom the set of 
time-functions. I have studied the new “formal methods” and simply do not see how they add 
value, it seems to me that the mathematics needed by engineers to understand software is very 
close to the classical mathematics that was developed before Computer Science became an 
identified “discipline”. In [5] I presented some serious doubts about the direction taken by 
Computer Science; this paper presents further grounds for those doubts. 

On the other hand, when we tackle real software engineering problems, such as the A-7 
Onboard Flight Program [8], or the Darlington Nuclear Plant [9], we find a need, not for new basic 















^ Two traces are equivalent if they have the same effect oa future behaviour of the object. 
^ A trace extension function is sometimes called a retbiction function. 
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concepts but for new notations. The use of conventional, one-dimensional, notation to describe 
functions and relations resulted in pages of repetitive formulae that were hard to parse. It is for 
this reason that we have introduced the multidimensional notations, first used in [8] and described 
in [7]. If the new specification languages are new, it is only in their semantics, they have deviated 
in no significant way from the one-dimensional notation that is traditional in mathematics. Our 
experience suggests that the semantic issues are not the serious ones. New notation, with classical 
semantics, has proven very {xactical. 

7 Admowledgracnts 

These thoughts have been strongly influenced by H. D. Mills and N.G. de Bniijn. Some of the 
text was taken from a paper written jointly with Prof. Jan Madey of Warsaw University ([4]). 
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1. Introduction 


What lands of mathenntics are uaefull for the software developpers raise the general 
question of v^iat is software in a quite similar way that if we ask what kinds of madiematics 
are usefuU for the chemists cx the bicdogists. 

Aiguing on die very nature of software might rapdely become a rather academical and 
aitiftdal question without any consistent answer. Following die advice of Wittgenstein 
'Don't ask for a meaning, ask for a use!* I will p re fe r starting from the use. 

In die case of software enipineeering, die ba^ question is: What kind of information 
systems are we trying to build today, and, inside these systems, what is the nde devoted to 
the software? 

At the eariy time of J.Von Neumann and until die mid TOth's software was mainly 
a problem (sometimes very difficult) of creating algmidims. Consequendy the way to 
express algorithms, that is to say die issue of having "good” programming Imguages, was 
ones of the dominant questions. 

The amount of softwm devdopment of dut time was the jnoduction of small sized staff, 
often reduced to a single doigner and some programmers, but widi the interesting 
caracteristic of having being wdl trained in madiematics, 

• either thro numerical analysis for practical computation problems as monte carlo 
mediod or operations researdi or statistics,... 

• or, more rardy, thru mathematical logic for creating sound system architecture, 
co mpu t a t i on nwidd or system modd descrqition induding linguistic aqiects,... 

A good deal of mathematics has been daboiated and adapted at dut time, mainly based on 
the outcomes of reaeach in the field of madieniatical foundation accumulated in die first half 
of die century. The strong connection between die eariy computer science and mathematical 
logic has given us the foundation of theoritical ocmiputer science and the mathematics 
associated with it: automata theory, formal languages, computability,... etc. 

That theoritical area of knowledge has had a first direct practical apdkation in the domain 
of programming languages and dieir associated translators. Reliable compiler construction is 
pnibably the most wdl known success and I can witness (rf it 
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Starting from the early SOth's with the PCs revolution, the nature of software has 
been progressively and completely modifyed. It is becoming masav and is better 
caracterized by a nK»e or less dqith entanglement in large or very large systmns, in the 
sense of Gen^ System Theory, where some parts of the system are softv^ and some 
others are devices of any types which may include human b^gs to perform computation 
sdll beyond the capacity of machines (as for exampte complex pattern recognition) m to 
take the am»opriate decisions and control the system. In such systems each part influences 
the others, creating the so called "strange loops* whose side effects are to exponentiate 
oomfdexity. Progressively, software is becoming "reactive* or embedded! The triulitionnal 
opposition between sdentific or teal time software, and business software, i.e. Cobd 
software, is becoming meaningless with die rise of networks and graphical user interfaces. 
Software is no mote a solitary production and requires now large staff, sometimes several 
hundredth of developpers and years of develq;>ment, whose global behaviour may be fer of 
the elementary bdiaviour of its individual members in such a way that team organisation is 
becoming a major issue. 

Professor Lehman, in his book "System evolution: the process of software change", has 
emphazised the strange relationship and duality which exist between the system to built and 
what he calls the meta-system, tlutt is to say the software production system itself; but he 
hasn't provided any real explanation of what he has observerved so that what he has called 
* Law of software engineering* may only be considered as an experimental evidence. The 
situation may be dqiicted as follow: 
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It is now clear that understanding softwaie implies necessarily to understand the 
global system context, not only the architectural aqmct of it but also the process to built it: 
a kind of software embriology. Human aspect of software engineering is a nuyor issue 
ftidng the certitude that it will be much more difficult to automate than any other 
engineering field such as hardware. 

Again, a good deal of mathmnatics exists to describe die way systems behave: giaqih the(»y, 
operations research, dieory of games, coding and infomiatian dieory, modelizadon, etc... 

Coining back to Von Neumann, I mentionned above, it is quite mnaricable that in 
the latest part of his life when he literaly founded the theory of automata, he was especially 
interested to find |»actical atdudons to what he considered as the three fundamental fiacton 
limiting die engineer's ability to build powerfiill computer 

• the size of etementary hardware conqionents, 

• the reliability of the dementary components, 

• the lack of a thewy of logical organizadon of complicated system of computing 
dements. 

Tranqxised in modern software terminology, we have die three basic issues: 

• the size of dementary automata (as a madiematicai modd of programs), 

• die reliability of automata (as an dementary proof of ^taxic and semantic correctness 
of iKograms), 

• the way to group automata to form very large sets of cooperative automata, or, in other 
words, the way to organized them in oeder to be able to predict in a deterministic way, 
dieir global b^viour and thdr expected global reliability. 

These three issues are the hard core of main interrogations for the professionnal, or at least 
mine! in mder to offer a minimal warranty of the effectiveness of software engineering. 

It is clear for me, and I hope for all of us, that, as in all the other engineering fields, 
mathematics will {day a prominent role in future software engineering. Not only "pure* 
mathematical logic, but dso all the mathematics mathematicians as Von Neumann, Turing, 
Ulam,... considered usefull and which are even nxne rdevant whith our day to day 
problems. 

It is important to note immediady that some of the observed phenomena will deal with 
rigid, all-or-none oonoqKs, whidi is the caracteristic of logic and that some odien are 
better iqiinoxiniated widi continuous concqits as for example reliability, serviceability and 
adaptability of very large systems. 

From a pedagogical point of view, an this is a fundamental issue for software 
devdopper mathematical training, formal logic is one of the most refractory and abstract 
part of mathematics as well as a very recent one; so we have to consider the role of 
continuous model as an approximation of dicrete one's because continuous mathematics is 
die best cultivated portion of mathematics with the most historical background adiich 
provide us widi large fidds of interpretations and reformulations of classical questions. This 
methoddogical advice of JvN formulated years ago is still applicable. 

However, it is not my intention to play die historian and present the prominent role 
of JvN in computer science, there is some good books on that subject. Reding niastm''s 
work is still exdting and tardy a waste of time. So, returning to our subject of 
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mathonatical training. I will present briefly three problems I have been confront 
permanently during my fnofessionnal life and the land of mathematics one can guess behind 
them. 

These three problems may be summarized as follow. 

Problem# 1: We observe a great variability of the amout of inogramming required fix’ 
^sterns intuitively perceived as very amilar to an other one (a range of 1 to 10 may be 
c^y observed). Is diere anything similar in the field of mathematics and if yes. what is the 
exi^anatioa? How can we explain that slight variations in die qiecification of a system may 
create a totaly non-linear one at the programming (or automata) level in both direction, 
positive or negative? Do we have mod^ for that m is there only diaos? 

Problem # 2: Very large software systems (up to several million lines of code cannot be 
build from scratch. They require numerous intermediary stq>s beftxe to be compieled and 
fully operational. The question is: what is the dynamic of growth of such software systems? 
Wat is the complexity level one can maiuge step by stq> in order to avoid system 
construction divergence or oscillations. What is the amount of ancillary woric to provide in 
order to bring the system in existence: a kind of thermodynamics second principle applied 
to software engineering! 

Problem # 3: Very large systems with billions of stmes are far beyond our ability to 
provide ftamal proof of syntax and/or semantic correctness. What do we call the proof of 
such a system, who give us warranty that the ixoof is correct and much shorter than the 
sytem to prove? In other word, to as JvN, who custodes the custodies! Thus, system 
reliability becomes a matter of probability and statistics. The question is: what are the 
necessary conditions to ensure that the minimal has been done and what are. if any, the 
mathematical models to ensure that error effects will be kq>t under a minimal threshold 
given in advance as for example: the system may ful, but it must restart in a correct state in 
less than x second? This time this is an equivalent Shanium's second theorem which must be 
set iq>! 


2. F#1 - Hm variabilfty of software system dze 

It is extremely difficult, even impossible, to have a practical experience of software 
size variability in a classical software devdqiper curriculum. To observ interesting 
phenomena, la^e amount of develqnnent is requii^, generaly incompatible which the land 
of woric whidi is asked to a student 

By chance, there is an interesting analogy between software development and mathematical 
development so that we can use mathenutical development as a substitute to program 
develqMnent The length of the proof of some theorems may vary in a wide range 
accorc^ to die way the dieory has been setded: kind of objects, rqnesentation of the 
objects, chcrice of the axioms, and so on ... 

A remarkable fact is that software size is weakly dqiendent of the programming language 
but highly dependent of the architecture and organisatioa of the whole software system. 
Similar situations exist in what madiemaddans call local and global considoadons in 
mathematical development [see A.Lautman: Essai sur runitd des mathdmatiques]. 
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Thus, the oentnl thesis for F#1 is that there exist a pertinent analogy between 
program development and mathematical theory development so that studying the latest will 
provide us with insight for a better under^anding of the former. 

To go deqper, a brief recall of formal system theory will be needed. Very good 
books exist on formal systems and everything can be easily firid. 

At a first and rather intuitive level, we will consider a formal system as having 3 basic 
conqionents, as follow: 

Syntax of the formal system. 

Syntax of a formal system, later on abbreviated FS, is well illustrated by what is called 
concrete syntax in programming language theory. This is a set of rules which exfdains how 
basic objects and dmnents of the system are settled; how mme complex expressions may be 
built starting from the basic ones. Rules of naming - proper names and class/generic names 
- (of excqitional impmtance in any complex system) Mong to the syntax of foe FS. 
Semantic of the formal system 

As opposed to syntax which is purely abstract, semantic deals with meaning, that is to say 
how expressions may {neaerve properties as for example those of being tnse or false with 
regard a given domain into which they can be interpreted or translated. Again, 
{HOgramming languages allow us to illustrate simply what semantic is (but FS semantics is 
far beyond i»ogramming language semantics, so beware of a limited understanding!). 
Strongly rdated to syntax and semantic is the distinction made by the logician between 
intension and extension. Intension deals with the form or syntax of an expression or a 
function [see G.Fr^ • Begriffschrift - for a detail and precise analysis], ^tension deal 
with the domains associated with the function, i.e input domains, ou^t domains, state 
dormuns, error domains, etc...Inten:non and extension are in a dual relationship and ate two 
ways of freaking of the same thing; intension and extension ctmsideration are of 
excqrtional importance in distributed systems where data and algorithms may be freely 
exchanged. 

Pragmatic of foe formal system 

Pragmatic refers to the way the FS is used by the observer. In a logical perqrective it deals 
with different interpretations which can be associated with the FS and how focts of foe real 
world may be precisdy assodated with abstract domsuns defined in the FS. (Xrviously only 
a small subset of the facts perceived in the teal world may be abstracted and associated with 
classes of the FS; such facts will received proper names to be identified unambiguously. 
Sciences as physic witness of the difficulty to assign meaning to abstract entities and to 
identify interesting abstract entities. In the programming world, pragmatic is of utmost 
importance (much more important than in mathematics) because we are interested to know 
how programs or systems bdiave and how they can be executed on real machines because 
we have to intmact more and more vtdfo them. Ada language introduce a notion of pragma 
which is effectively relevant to pragmatic but which is far to cover all the pragmatic aqrects 
aMnriatiiMt with foe program text. Difficulties of using Ada in hard real time systems with 
exact time constraints is a matter of language pragmatic; deterministic or non deterministic 
run time environment is an other one which is an implementation choice. 

[...] 

3. Ff2 - Pattern of growth of software systems 


AMAST93 J.Printz Draft 05/05/93 — 



Mirtw—tifl tniiung for Ibe lofiware ifavaloppm: • pnctical mpeiMace 


Understanding the way and the conditions [»ifficient and/or necessary] under which 
software systems can growth is a major issue for the information technology industry. It 
raises immediately two fundamental questions; 

1. How can we measure or estimate software size, what is the unit of size? 

2. b there any limit to the size of a software system? Are there any limitaticm factors? If 
such bctms exist, are they absolute or relative to a given maturity level of the software 
industry? 

In the absence of well defined unit of ^ (thu is the case, up to now!) modeb whidi can 
be built will have a strong qualitative taste and thb is already an impcwtant limitation if we 
compare thb situation with the state of the art of other scientific engineering fields. 

Once a model b defined, another important topic b the dynamic of the model. Every one 
which has had the chance to work with large st^ has been confront with some very strange 
phenomena as oscillations or instability which may cause dramatic system r^ression. The 
question is: what is behind? Is there anything in the software process which lodes like 
dynamic instability similar to what we find in chaos? What is the effect of the arrow of 
time? 

Thus, the central thesb for P#2 is that system dynamic b a fundamental topic of software 
engineering which need to be investigated in detail - that is to say with the hdp of models, 
even if they are qualitative - if we want to get a chance to understand factors which limit 
software productivity. 

To sustain the thesis, I will present 3 elementary models and will give some explanatirms on 
how they rebte to the real software world. Real word software development may de 
dqricted as follow: 
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Parts of the real wt^d are |m)gressively translated in an executable software sy^em. We 
are interested to know the efficiency of the transformation, in particular how the 
productivity ratio evdw according to the system structure and to the organization of the 
devdopment. 

Model 1 - Ml - is simjriy the exponential growth modd when there is no limitation to the 
growth. The characteristic equation of the modd is the classical one: 

AS - e S AT 

where S is the actual size, AS the increase of the size, AT the increase of an abstract time 
(qiproxitnativdy the amount of effort) and e the rate of increase of S per unit of abstract 
timeT. 

Modd 2 - M2 • is the S curve (also called the logistical curve) modd of paramount 
importance in software engineering as in other engineering fidds as chemical engineering or 
population dynamic. The well known equation of the modd is 

AS - (8-XS)SAT 

where X is a limiting factor which dqtend on the system structure whose effect is to 
diminish the rate of increase which is no more constant This well known modd is typical 
of growth in the context of limited resources. 

Modd 3 • M3 - is a little bit more sophisticated and take in account the organizational 
environment which may also induce additional limitation. As everybody knows, 
organization may become less efficient (and sometimes very badly) when they grow old. 
The correqxNMiing term, called sdf-infection or sdf-destruction term, will have die form 

|^u)F(u)du 

into which F is a function which rdates to the organization and its ability to generate mrise 
which will reduce its efficiency. 1 will describe that function by giving an intuitive 
descriptitm of it with the hdp of a game theory modd known as the prisonner dilemma. 

The general equation of the modd has now the following form 

AS » (e ' X S • J[Vu)F(u)du ) S AT 

which has been studied and integrated by Volterra [see the Volterra's classic: Thdorie 
Mathdmatique de la Lutte Pour La Vie]. 

[...] 

4. Fi3 - Reliability of fauge software systems 

It is a law of nature that reliability in a very broad sense deals with redundancy. 
Human language is highly redundant and so are brain organization or mamals DNA 
mdecules. Hardware reliability, much more doser to os, is a supporting evidence diat 
deseqperate situation (remember what hardware technology was at die time of JvN) can be 
dominated and mastoed. A prerequisite is diat errOT phenomenon be recognized as a central 
question in software devdopment, if not THE unique one, as it has been in other Add as 
data transmission. To quote R.Hamming in lus dasac Coding and Information Theory 
"Most bodies of knowledge give errors a secondary role, and recognize their existence only 
in the later stages of the design. Both coding and inftmnation theory, however, give a 
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MailMnBliGai baiaiHg fcr the wINw* d*v«lo|i|Mn: a pnctical Mpariaace 


oentnl role to emm (noise) and are therefcHe of special interest, »nce in real life noise is 
everywhere*. 

Returning to our logical model roughly describes in P#l. errors may be {uesent in the 

• syntaf^c level, 

• semantw level, 

• pragmatic level. 

Mathematics can give us si^iificant help for the syntactical level by providing for that level 
well founded abstract object as automaton or elementary date structures which play for 
information rqnesentation the same role as real numbers and functions in other engineering 
fields. 

Mathematics can give us some help for the senumtical level by providing well fouitded 
domain definitions to udiich abstract objects belong and well founded transformation rules 
fhnn one domain to an odier one. Abstract monitor models as CSP or concurrency models 
or programming models w normal forms in data moddling belong to that level. 

Mathematics is of limited help, ftnr not to said of no help, for the pragmatical level for 
which there is no alternative to vreification and validation technics. Again this situation is 
rather cmnmon in all the engineering fields: thoe is no demonstration that the space shuttle 
is bug free or that a bridge will not break. Trials must be dtme. Worst situations occur 
when trials can't be done as for the Star War software system. 

Thus, the fundamental issue is twofold: 

First, the type of madiematical proofs which can be reached and in particular the 
complexity of the proof itself. Proofs must be constructive; if they are not mu^ less shorter 
than the programs to prove, they are useless in the real engineering world. 1 consider as 
very promi^g the kind of correctness proofs done for VLSI whose main result is to 
dramaticalty reduce the simulation time to verify and validate the circuit. 

Second, the management of redundancy to be added in the programs with a double 
question: how much redundancy? and where to insert it in the programs? The problem is 
how to reduce the time between the fault occurence and the fault dttection by an observer 
and how to omtrol the program overhead in such a way that tire real time behaviour be kept 
under a threshold given in advance. Observer - a land of Maxwell's deamcm - gives us 
information of the state of the system but also modifies and adds uncertainties to the system 
bdiaviour as in (Quantum Mechanics. 

Then, the central thesis for P#3 is that redundancy management be recognized as the most 
important tqnc of software rdiability and that information theory provide a conceptual 
framework to formulate clearly the very nature of information, redundimey and organization 
as well as the role of the human or artificial observer. 

In that pa^ I will only sketch a research direction, focused on elementary behaviour of 
program flow (with the help of r^ular expressions) and on dynamic structure of the data 
references associated with the program (topological rdatitms between both). By the way, 
we wUl see how test strategies may be make more effective. 

I...] 

5. Conchidon 
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Mathemrt i ol tnining for die aoftwaie devetoppere: » pncticel experience 


Among the 3 problems presented in this paper, the latest is probably the most 
challenging for the future of information technology. With regard the age of software 
technology we are still in the period where we can simply and modestly observ the 
phenomenon. We certainly need to measure much more quantitatively what we observ and 
diis is a preliminary condition to any progress. Software reliability ultimate aims will 
probably take much more time to be achieved than expected (as compared whith hardware 
engineering for which it has taken almost SO years). To quote JvN ” The great progress in 
every science came when, in the study of problems which were modest as compare with 

ultimate aims, methods where develop^ which could be extended further and further. 

The sound procedure is to obtain first utmost precision and mastery in a limited field, and 

then to proceed to another, sometime wider one, and so on.The experience of more 

advanced sciences, for example physics, indicates that impatience merely delays progress, 
including that of treatment of ^ burning questions. There is no reason to assume the 
existence of shortcuts”. 

Returning to the initial interrogations of useftilness of the mathematics for the 
software developpers, I will insist a last time on two aspects which seems to me of equal 
importance: 

• First affect is that there will be no future for software engineering without the help of 
mathematical methods and especiaUy those of the discrete mathematics. 

• Second aspect is that the way mathematical development is achieved thru the history, is 
of excqrtional pedagogical importance. 

Mathematical development has evolved thru the ages, new concerts have been 
added, formulations of classical problems have been entirely reformulated in a much more 
natural and eluant way, and so on. Logic is a good illustration of both aspects, although 
geometry and algdrra offer probably far-reaching examples but may require more 
mathematical skill. 

These rather aesthedcal considerations seem to me of considerable importance for the 
software developpers, whose programs are (or should be) populated with abstract entities 
sometimes far beyond of intuitive evidence, by providing them with logical forms and 
reasonning schemes which are the foundation of rational, unambiguous and explicit thinking 
as well as reliable human communication. 
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1. Introduction 

• 

The idea of solving problems in logic by first translating them to algebra, then using > 
the powerful methodology of algebra for solving them, and then translating the solution 
back to logic, goes back to Leibnitz and Pascal. Papers on the history of Logic (e.g. 

Anellis-Houser [AH91], Maddux (Ma9l]) point out that this method was fruitfully 

applied in the 19*^ century not only to propositional lo^cs but also to quantifier logics 9 

(De Morgan, Peirce, etc. applied it to quantifier logics too). The number of applications 

grew ever since. (Thotigh some of these remained tmnoticed, e.g. the celebrated Kripke- 

Lemmon completeness theorem for modal logic w.r.t. Kripke models was first proved 

by Jonsson and Tarski in 1948 xising algebraic logic.) 

For brevity, we will refer to the above method or procedure as “applying Algebraic 9 

Logic (AL) to Logic”. This expression might be somewhat misleading since AL itself 
h8q>pens to be a part of lope, and we do not intend to deny this. We will use the 
expre ssi on all the same, and hope, the reader will not misimderstand our intention. 

In items (i) and (ii) below we describe two of the main motivations for applying AL 
to Logic. 9 

*We are very grateful to Agnes Kurucs for substantial contribution to both the contents and the for^ 
of this work. 
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J. INTRODUCTION 

(i) This is the more obvious one: When working with a relatively new kind of problem, 
it is often proved to be useful to “transform” the problem into a well understood and 
streamlined area of mathematics, solve the problem there and translate the result back. 
Examples include the method of Laplace TVansform in solving differential equations (a 
central tool in Electrical Engineering). 

At this point we should dispell a misunderstanding: In certun circles of logicians 
there seems to be a belief that AL applies only to syntactical problems of logic and 
that semantical and model-theoretic problems are not treated by AL or at least not 
in their original model theoretic form. Nothing can be as far from the truth as this 
belief, as e.g. looking into the present work should reveal. A variant of this belief is 
that the main bulk of AL is about offering a cheap pseudo semantics to Logics as a 
substitute for intuitive, model theoretic semantics. Again, this is very far from being 
true. (This is a particularly harmful piece of misinformation, because, this “slander” is 
easy to believe if one looks only superficially into a few AL papers.) To illustrate how 
far this belief is from truth, the semantical-model theoretic parts of the present work 
emphasize that they start out from a logical system £ whose semantics is as intuitive 
and as non-algebraic as it wants to be, and then we transform £ into algebra, pa 3 ring 
special attention to not distorting its semantics in the process; and anyway, finally we 
translate the solutions back to the very original non-algebraic framework (including 
model theoretical semantics). 

In the present paper we define the algebraic counterpart Alg(£) of a logic £ together 
with the algebraic counterpart Alg 2 (£) of the semantical-model theoretical ingredients 
of £. Then we prove equivalence theorems, which to essential logical properties of 
£ associate natural and well investigated properties of Alg(£) such that if we want to 
decide whether £ has a certain property, we will know what to ask from our algebraician 
colleague about Alg(£). The same devices are suitable for finding out what one has 
to change in £ if we want to have a variant of £ having a desirable property (which 
£ lacks). To illustrate these applications we include several exercises (which deal with 
various concrete Logics). For all this, first we have to define what we understand by 
a logic £ in general (because otherwise it is impossible to define e.g. the function Alg 
associating a class Alg(£) of algebras to each logic £. 

(ii) With the rapidly growing variety of applications of logic (in diverse areas like 
computer science, linguistics, AI, law, etc.) there is a growing number of new logics to be 
investigated. In this situation AL offers us a tool for economy and a tool for unification 
in various ways. One of these is that Alg(£) is always a class of algebras, therefore we 
can apply the same machinery namely Universal Algebra to study all the new logics. 
In other words we bring all the various logics to a kind of “normal form” where they 
can be studied by unif orm methods. Moreover, for most choices of £, Alg(£) tends 
to appear in the same “area” of Universal Algebra, hence specialized powerful methods 
lend themselves to studying £. There is a fairly wdl understood “map” available for the 
landscape of Universal Algebra. By using our algebraization process and equivalence 
theorems we can project this “map” back to the (far less rmderstood) landscape of 
possible logics. 
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2. GENERAL FRAMEWORK FOR STUDYING LOGICS • 


2. General framework for studying logics 

Defining a logic is an experience similar to defining a language. (This is no coincidence 
if you think about the applications of logic in e.g. theoretical linguistics.) So how do we 
define a language, si^ a programming language like Pascal. First one de^es the syntax 
of Pascal. This amounts to defining the set of all Pascal programs. This definiticm 
tells us which strings of symbols count as Pascal programs and which do not. But this 
information in itself is not very useful, because having only this information the 

user to write programs but the user will have no idea what his programs will do. (This 
is more sensible if instead of Pascal we take a more esoteric language like ALGOL 68.) 
Indeed, the second, and more important step in d<^ning Pascal amounts to describing 
what the various Pascal programs will do when executed. In other words we have to 
define the meaning, or semantics of the language, e.g. of Pascal. Defining semantics can 
be done in two steps, (i) we define the class M of fossible machines that understand 
Pascal, and then (ii) to each machine fUl and each string tp of symbols that counts as 
a Pascal program we tell what SFl will do if we ”ask” to execute ip. In other words we 
define the meantny mean(^,!Dl) of program ip in machine SDt. 

The procedure remains basically the same if the language in question is not a program¬ 
ming language but something like a nattual language or a simple declarative language 
like first-order lope. When teaching a foreign language e.g. German, one has to explain 
which strings of symbols are German sentences and which are not (e.g. "Der Tisch ist 
rot” is a German sentence while ”Das Tisch ist rot” is not). This is called explaining 
the syntax of German. Besides this, one has to explain what the German sentences 
mean. This amounts to defining the semantics of German. If we want to formalize 
the definition of semantics (for, say, a fragment of German) thor one again defines a 
class M of possible situations or in other words, ”po6sible worlds” in which our German 
sentences are interpreted, and then to each situation £in and each sentence >p we define 
the meaning or denotation mean(tp,^^l) of ^ in situation (or possible world) fOt. 

At this pennt we could discuss the difference between a language and a logic, but we 
do not need that. It is enough to say that the two things are very-very similar.’ 

Soon (in Definition 2.1 below) we will define what we mean by a lope. Roughly 
speaking, a logic £ is a triple 











C - (Fc,Me,meant). 


where 

s Ft is a set, called the set of all formulas of £, 
a Me is a class, called the class of all models (or fossible worlds) of £, 

a meant is a function with domain Ft x Mt, called the meaning function of £. • 

^Tbe phUaaoiducal minded reader might eqjoy looking into the book [PM], cf. e.g. B.Partee’e paper 
therein. More elementary ones are: Sain [SSO/a] and [SM/b]. 
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2. GENERAL FRAMEWORK 

Intuitively, Fc is the collection of ‘^texts’* or “sentences” or “formulas” that can be 
“said” in the language C. The meaning function tells us what the texts belonging to 
Fc mean in the possible worlds from Me • 

Often, instead of mesn^, we rather have a relation ^cQ Me x Fe, called valuUty 
TtUUon. In more detail, very often from meatie the relation is definable (and vica 
versa); but in general, we may have a logic C where )=£ does not make sense at all. 

When no confusion is likely, we omit the subscripts C firom Fe, Me etc. 

A typical definition of F has the following recursive form. Two sets, P and LC are 
given; P is called the set of primitive or atomic fcnmulas and LC is called the set of 
logical connectives (these are operation symbols with finite or infinite ranks). Then we 
reqtiire F be the smallest set H satisfying 

(1) P C if, and 

(2) for every . • • •»H and f £ LC of rank n, /((^i,..., v?») € P. 

For example, in propositional logic, if Pi ,P 2 are propositional variables (atomic formulas 
according to our terminology), then (pi A p^) is defined to be a formula (where A is a 
logical connective of rank 2). 

For formulas ip £ F and models SR € M, mean(ip,fJJl) is defined in a uniform way (by 
some finite “schema”). 

For a logic C — {F, M, mean), F belongs to the syntactic part, while M and mean 
to the semanical part of C. Figure 1. below illustrates the general pattern (“fan- 
structure”) of a logic. 














function 


SR 


M 

(huge) collection of 

possible worlds 
(or modeb) 








S3mtax 


semantics 
Figure 1 
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2. GENERAL FRAMEWORK FOR STUDYING LOGICS 

Though above we said that a logic only roughly tfoaking is a triple described above, in 
Definition 2.1 below we call such a triple a logic. This definition of a logic is very rude. 
However, we will see that it well serves the purposes of the present paper. Therefore we 
do not try here to give a more refined definition of a logic. 

In Definition 2.1 we give the definition of a logic with validity relation f=. We will 
turn to logics with meaning functions only in section 2.1 later. 

DEFINITION 2.1 (Logic): 

By a logic C we mean an ordered triple 

(fc,M£,h£>, 









where (i)-(iii) below hold. 

(>) Fc (called the set of formulas) is a subset of finite sequences (called words) over 
some set X (called the alphabet of C) that is, 

Fc Q X* {(oo, • • • ,a„_i) : n € w, (Vt < n) Oj € X} ; 

(ii) Me is a class (called the class of models); 

(iii) f=:£ (called the validity relation) is a relation between Me and Fe that is, 
hrC Me X Fe. < 

DEFINITION 2.2 (Semantical Consequence): 

Let C = {Fe, Me, be a logic. For every SDl € Me, S C Fe, 

an)=£S 44 (Vv> € E)9n hr V’, 

ModeiTl) = {mEMe : M ^e £}• 

A formida tp is said to be valid, in symbols fp, iff Mode{{p}) — Me- 
For any E U {tp} C Fe, 

Ef=£VJ 44 Mod(E) C Afod({¥»}). 

If E |=£ <p, then we say that ^ is a semantical eonseguenee of E (in logic C). ^ 

Now we define some basic lopes. Though we think the reader is familiar with classical 
propositional logic, for fixing our notation, we start with the definition of it. 

DEFINITION 2.3 (Propositional or Sentential Logic £ 5 ): 

Let P be an arbitrary but fixed set, and let A a binary and -• a unary logical connective 
(operation symbol). P is called the set of all atomic formulas (or propositional variables) 
of propositional logic. 

(1) The set Fs of formulas of propositional logic is defined to be the smallest set H 
satisfying the following two conditions: 

• PC H, and 

o (p,tl> e H =» (^ A t^), ("V) € H. 
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2. GENERAL FRAMEWORK 


(2) The class Ms of models of proposttional lope is defined as 


Ms =* {(IV’, w): is a non-empty set and v: P —* V{W)). 

If SDl s= € Ms then W is called the set of possible worlds (or states or sitvatioiu) 

of OR. 

(3) Let {W, v) € Ms, w € W, and ip € Fs. We define the binary relaticm u* IHv ip by 
recursion on the complexity of ^ as follows: 
s if p € P then (w IH, ip tv € v(p)) 

• if € Ps, then 

w I1-* -'V’l tv 1^, il>t 

w 11-, 0] A ^ -4^ u> lb, 0] and w lb, 

If u; lb, ^ then we say that tp is true tn to, or w forces p. 

We say that p is true in (W,v), in symbols (W,v) |=5 p or W ^5 ^[v], iff for every 
to € W, to lb, p. 

Now, propositional (or sentential) logic is defined to be the triple 

Cs = (Fs,Ms,)=s). ^ 


EXERCISE 2.1: 

Let (p -* 0) 4^ -<(v> A and p ((9 -* tl>) ^ {il> -* p)). Prove that 

• {v»} hs tjf |=s {<P -* tf)) 

• ({V’} Ns tl> and {t/>} f=s p) ><=» Ns (p *■* t/>). < 

DEFINITION 2.4 (Modal logics 55, Jflf; Arrow logics £arwo> f^ARWRL): 

For each logic in this definition, first a relation lb similar to the one in Definition 2.3 
will be given, and the validity relation ^ will be defined from lb exactly the same way 
as in in Definition 2.3. 

The set of connectives of modal logics 55 and K is {A, -i, 0}> 
o The set of formulas (denoted as P 55 ) of 55 is defined as that of Cs together with 
the following clause: 

P € Fsi =>■ Op € Ps5* 

Let Mss Ms- The definition of w lb, ^ w the same as in the propositional 
case but we also have the case of 0 : 

wH-,0<P ^ (3w'€ W) ts'lb, 

Now, modal lope 55 is 55 ^ {Fss,Mss, N)* 
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2. GENERAL FRAMEWORK FOR STUDYING LOGICS 

• The formulas of logic K are those of S5: Fjf Fss- The models of K are 
those of 55 together with a binary relation (called aeeeasibiliiy relation) for each 
model. More precisely, 

Affc=U((W,v),R) : (W,v) e Ms and RCWxW). 

The definition of u> Ih, ^ is as above, but in the case of 0 we require that w' is 
accessible from w that is, 

IV IH, € lV)(R(w, u»') and u>* lb, (p). 

Then modal logic K is K (F/c,Mfc, ^). 

The set of connectives of arrow logics jCakwo, ^arwrl is {A,-*,o,^,/d}. 

s The set of formulas of £arwo (denoted as Farwo uul called arrow formulas) is 
defined as follows. All sentential formulas are arrow formulas (i.e. Fs C Farivo)« 
and 

•fit'll € Farwo V*o ¥>'' E Farwo 
Id € Farwo 

The models are those of propositional logic Cs enriched with three accessibility 
relations. That is, 

Marwo = {((W^,«),C,,C,,C 3 ) : {W,v) € Ms, Cy CW xW xW, 

CiQW xW, CsC W). 

For sentential connectives and A the defimtion of w lb, tp is the same as in the 
sentential case. For the new connectives we have: 

wib, ^70^* -4^ (3 w 1,W2 € lF)(Cl(w,Wl,W2) & Wi\\-p<p & 1172 lb, V*) 

U7 lb, -4^ (3tl7* € W^)(C2 (i 17,117*) & w’lb, 

117 lb. Id -4^ ^ 3 ( 10 ). 

Then arrow logic ^arwo is ^arwo = (-FarwojA^arwojN)- 

• The formulas of £arwrl are the arrow formulas, i.e. Farwrl = Farwo- The 
models are those of £arwo with the following restriction. For every model 
(W,v) € AiARWRLt IF is a binary relation on some set U that ia, W C U x U. 
Moreover, Cy is relational composition, C 2 is the converse relation, and C 3 is the 
identity on U, respectively. More precisely, for any wy,W 2 ,ws € W, we let 

Cl(1171,1172, 1173) -4^ (3ui,« 2,«3 € C)(ll7l = (ui,U3) & 

U72 = (ui,U2> & U73 = (U2,U3» 

C2(U7i,1172) (3ui,U 2 € C)(ll7l = (Ui,1l2) & «»2 = («2,«l)) 

C 3 (l»l) -4^ (3u € 17) 1171 = («,tt}. 

Given these restrictions, the definition of lb is the same as in the previous case. 
Arrow lope £arwrl is Tarwrl = (^arwrl>A^arwrLi h)- < 
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2. GENERAL FRAMEWORK 


EXERCISE 2.2: TVy to find similarities and differences between the logics Cs, 55, 
K , £arwo and £arwrl- < 

EXERCISE 2.3: Consider the fragments £arwo ^arwrl arrow logics 

defined above which differ from the original versions only in that they do not contain 
the logical connectives and Id. Prove that £arwo equivalent to £arwrl 
sense that they have the same semantical consequence relation 

Prove that £arwo is not equivalent, in the above sense, to £arwrl- < 
DEFINITION 2.5 (First-order Logic with n variables £„): 

First-order logic with n variables is defined to be a triple 


for which conditions (l)-(3) below hold. 

(1) Let V {wo,...,Wn-i} he a set, called the set of variables. Let the set P of 

atomic formulas be defined as P = {rj(uo • • • «n-i) :» € /} for some set I. Then 
the set Fn of formvdas is the smallest set H satisfying 

• PCH 

• V = w ^ H for each w, to € V 

• fp,il> E H, V => tp A 3vifi € H. 

(2) The class Mn of models of £n is defined by 

Mn =* {{j4, Ri)i^i : A is a non-empty set and Ri C "A (t € /)} . 

If Oil = {A,Ri)i^] € M„ then A is called the universe (or carrier) of fXft. 

(3) Let 2R = {A,Ri)i^i € Af*, q € "i4, and <p € Fn- We define the ternary relation 

Sn H ^[ 9 ] by induction on the complexity of tp: 


N ri{vo ...Vn 

-0(gl 

>-F 

q E Ri {i € I) 

an w. = w^[g] 

44 

II 

iijel) 

il V’i*V »2 € Fs, then 



h “'V’l [g] 


not an 

Nt^ilg) 

an 1 = v»i AV^[g) 


an h V'l (g) and an ^ V^[g] 

an 1 = 3v,v»i[g] 


(3g'€ 

"A)[(Vt^ie/) 


q'j = qj & an 1= V>i[g']]. 

If an ^ ^[g] then we say that the evaluation q satisfies tp in model an. 
We say that an g’ iff for every 5 € "A an g>[g]. ◄ 
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2.1 LOGICS WITH SATISFACTION AND/OR MEANING 

*** 


DEFINITION 3.6 (Theory): 

Let £ ss (F, Af, be any logic. For any K C M let the theory of K he defined as 

Th(K) = {ip€F : < 


T 






Recall the notions of recursively enumerable and decidable sets (of formulas). 
DEFINITION 2.7 (DecidabUity of Logics): 

We say that a logic is deeiiMe iff TK{Mc) is a decidable set of fOTmulas. < 

THEOREM 2.2 (Decidability of £5 smd 55). Propositiona/ lofpc Cs and modal 
logic 55 are decidable. | 

This theorem will be proved later. We wiU show that, in both cases, the set of valid 
formulas is recursively enumerable (r.e.) and that these logics have the finite model 
property (to be defined later). 


2.1. Logics with satisfaction and/or meaning 


Defining a lo^c as (F, Af, with |=C Af x F is an oversimplification for the following 
reasons. If we look at the logics in DefB.2.5-5 (55, £«, etc.) we will notice that they 
contain a richer semantical structure than just a Innary relation Af x F. In each 
case, there is a class Par of parameters and a ternary relation IHC Af x Par x F which 
is usually called the satisfaction reluGon. In the definition of 55 we should have written 
(9R, w) II- ip or at least 971, w II- ^ instead of w lb, (p. However, for simplicity we used the 
latter, and we used the subscript ”v” to indicate the presence of 971. Anyway, a little 
reflection reveals that the definition of 55 uses a ternary relation ”971, w IH where w 
was called a possible situation (world) of 971. 

The same applies to £arwo> etc. Perh^w the least trivial case is that of £«. There we 
use ”971,9 'P”t where 971 = : i E J) and 9 € *A. In case of £n, the traditional 

way of writing ”97t, 9 II- is ”971 js ^[ 9 ]” and is pronounced as the evaluation 9 satisfies 
^ in the model 971. 

In each of the logics we saw so far, first (FjAf,!!-) is defined and then the binary 
validity relation ^ is derived (in some way) from the deeper, more substantial relaticm 
II- (in a sense, )= was always a ”sinq>lified part” of lb). In all of our examples the 
following derivation of ^ from lb works. 

(*) 9nhV> iff (V^€F)Vu;[(9R,ti>lbV')==»(®l,wlbv>)]. 
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2. GENERAL FRAMEWORK 



EXERCISE 2.1.1: Check that (*) above is true for all the logics we defined so far. 

< 

EXERCISE 2.1.2: Show that while ^ can be derived (i.e. recovered) from Ih, in most 
of our logics lb cannot be recovered from M 

There are ways other than (*) above for deriving )= from lb. E.g. (««) below works 
too (for the logics considered so far): 

(**) SDl ^ iff lb 4-» ^)) =» (Jin,iw lb y))] 

(cf. Exercise 2.1). 

DEFINITION 2.1.1 (Logic with Satisfaction): 

By a logic vnth saiisfaciion we understand a quadruple £ = (F, Af, )=, lb), where 

(i) {F, M, 1=) is a logic in the sense of Def.2.1; 

(ii) f= is derived from lb in a manner similar to («) or («*) above. < 

We know that item (ii) in the above definition is somewhat vague. If that would 
disturb the reader, it is safe to substitute (*) for (ii).^ 

EXERCISE 2.1.3: Show logics (in the sense of Def.2.1) in which though ^ can be 
derived fr'.m lb in some way, neither (*) nor (**) hold. < 


# 



# 






Instead of the above concept of a logic with satisfaction, we will use a less ad-hoc 
variant which is at least as general as the above one. The idea is the following. Given 
a syntactic entity (a formula) y? € F, and a possible world 6 A/, instead of giving 
a truth value (IDI ^ or SR ^ y>) to y: in VSl, we assodate a meaning to in SH. 
Certainly, the most natural (and most general) thing a syntactic expression y> might 
have in an environment or world 971 is a meaning. What that meaning will be might 
depend on the kind of expression (p we are looking at, and the land of 97t we are having 
in mind. E.g. the meaning might be a truth value (TVtie, Fa/se); or an element of the 
set 971 denoted by (p] more generally a denotation; if ^ is a program and 971 is a machine 
then the meaning of y> might be the function computed by y> in 971; or if we are in a 
logic with satisfaction then it might be the set {w : 971, w lb y>}. 

DEFINITION 2.1.2 (Logic with Meaning): 

By a logic with meaning we understand a quadruple C = (F, Af, ^,mean), where 
mean is a function with domain F x M and conditions (i), (ii) below hold. 

(i) (F, Af is a logic in the sense of Def.2.1; 

(ii) 1= is derived from mean either by {* * *) below or by a similar definition. 

(* ♦ *) 971 ^ y> iff (V^ € F)[mean(^,97l) C mean(^, 971)], 

for all € F, 971 € Af. < 

’We wanted to keep our definition more general but that is not casential for the present work. Also 
we felt that while condition (*) is not so essential to the concept of a logic as the admittedly vague 
formulation of (ii). 
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2.1 LOGICS WITH SATISFACTION AND/OR MEANING 


A similar remark applies to (ii) above as the one below Def.2.1.1. 

EXERCISE 2.1.4: Prove that logics with satisfaction and those with meaning are 
equivalent in the following sense; 

(1) To every logic Cme*n = {F, M, |=, mean) with meaning there is some logic = 
(F, M, IH) with satisfaction such that they are interdefinable; and 

(2) To every £..1 there is an £mean as in (1) above. 

(Hint: Asstime £me«n = (• • • mean) is given. Let 

Par U Rng{ mean) = U{mean(^,971) : £ F, SJl £ M). 

For ti; € Par define [(fOl, w II- <fi) •4^ w € mean{(fi, £Dl)]. In the other direction (i.e. 

assuming £,,t is given first) mean(tp,fnt) ^ {to : £Dl,to Ih (p). Show that using these 
definitions £mc«n and C,tt are completely recoverable from each other.) 4 

EXERCISE 2.1.5: Show logics (in the sense of Def.2.1) in which though there is a 
"sensible” meaning function, condition (* « *) above does not hold. (Hint: IVy e.g. 
many-valued logics.) M 







3.1. BASIC CONCEPTS 



3. Bridge between the world of logics and the world of algebras 

The algebraic coimterpart of classical sentential logic Cs is the variety BA of Boolean 
algebras. Why is this so important? The answer lies in the general experience that 
it is usually much easier to solve a problem concerning £s by translating it to BA, 
solving the algebraic problem, and then translating the result back to Cs (then solving 
it directly in £s)- 

In this section we extend applicability of BA to Cs to ^plicability of algebra in 
general to logics in general. We will introduce a standard translation method from logic 
to algebra, which to each lope C associates a class of algebras Algi(£). (Of course, 
Algi(£ 5 ) will be BA.) Further, this translation method will tell us how to find the 
algebraic question corresponding to a logical question. If the logical question is about C 
then its algebraic equivalent will be about Algi(£). For example, if we want to decide 
whether C has the proof theoretic property called Craig’s interpolation property, then 
it is sufficient to decide whether Algi(£) has the so called amalgamation property (for 
which there are powerful methods in the literature of algebra). If the logical question 
concerns connections between several logics, say between C\ and £ 2 * then the algebraic 
question will be about connections between Algi(£|) and Algi(£ 2 ). (The latter are 
quite often simpler, hence easier to investigate.) 


# 








• • 


3.1. Basic concepts 


The definition of logic in section 2 is very wide. Actually, it is too wide for proving 
interesting theorems about logics. Now we will define a subclass of logics which we will 
call nice logics. Oui notion of nice logic is wide enough to cover the logics mentioned in 
the previous section, moreover, it is broad enough to cover almost all logics investigated 
in the literattire. (Certain quantifier logics might need a little reformulation for this, 
but that reformulation does not effect the essential aspects of the logic in question as 
we will see.) On the other hand, the class of nice lo^cs is narrow enough for proving 
interesting theorems about them, i.e., we will be able to establish typical logical facts 
that hold for most logics studied in the literature. 

Before reading Def.3.1.1 below, it might be useful to contemplate the common features 
of the logics studied so far, e.g. £ 5 , 55, £arwoi £n- When presenting this material 
in class, many more logics were discussed in order to motivate the definition of a nice 
lo^c. Some of these logics are collected in section 3.4 below. It might be a good idea 
to look into 3.4 too before reading the definition below. 

In all the logics studied so far (and also in 3.4), the biconditional is available as 
a derived connective. In condition (3) of Def.3.1.1 there will occur a new symbol "V” 
denoting a derived connective of the logic in question. At first reading it is a good idea 
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3. BRIDGE BETWEEN LOGICS AND ALGEBRAS 

to identify "V” with our old biconditional Certainly, if we replaced condition (3) 
with the simpler assumption that is expressible in our logic C then all theorems 
would remain true. However, at a second reading of the definition it might be useful to 
observe that our condition (3) is a weaker assumption then expressibility of (and 
that this makes the class of nice logics broader). 

We also note that the theorems of section 3.2 below (based on the next definition) 
can be proved in a more general setting (cf. [ANS84]). Here we do restrictions in order 
to make the methodology more transparent. 

DEFINITION 3.1.1 (Nice Logic, Strongly Nice Logic): 

Let {F, M, ^) be a logic in the sense of Definition 2.1 (i.e. F is a set, A/ is a class, and 
)=C Af X F. 

We say that £ is a ntce logic if conditions (1-4) below hold for C. 

(1) A finite set Cn(£), called the set of logical connectives of £, is fixed. Every 
c € Cn(C) has some rank rank{c) € u. The set of all logical connectives of rank 
k is denoted by Cnic(C). 

There is a set F, called the set of atomic formulas (or parameters or propo¬ 
sitional variables or ...), such that F is the smallest set satisfying conditions 
(a-b) below. 

(a) FCF, 

(b) if c € Cnt(£) and ,<pk € F then c((pi,... ,<pt) G F. 

The word-algebra generated by P using the logical connectives from Cn{C) as 
algebraic operations is denoted by F that is, F = (F,c)cgcn(£)- F is called the 
formula algebra of C. 

(2) We asstime that a function mean is given with Dom{mean) — F x M and 
meangn *= (mean(v),9Jl) : v’ € F) is a homomorphism from F for every SW 
(cf. section 2.1). 

(3) We assume that there are “derived” connectives ”True” (zero-ary) and ”V” 
(binary) of C with the following properties: 

(i) (Vlin € M)(V^, 0 € F)[S!n )= (¥»V^) ■<=^ mean3n(^) = mean!n(0)]. 

(ii) (van € M)(V¥» € F)[an h TmeVip «=► on 1= ¥»]. 

(By “derived” we mean that ”2V«e” and ”V” are not necessarily members of 
Cn(£). They are only “built up” from elements of Cn(£). But we do not know 
from which elements of Cn{C) ” IVue” or ” V” are built up, or how. We do not 
care!) 

(4) (V^, ..., € F)(Vpo^...,p„ € P)[)= V'(P) ==> h V’(p/^)], 

where p = (poi • • • ,Pn), V = (v’o,• • •, V’n), and i/>{p/ip) denotes the formula that 
we get from 0 after substituting ipi for every occurrence of pi (0 < t < n) in V’- 
We refer to this condition as has the substitution property'. 

C is caUed strongly nice iff it is nice and satisfies condition (5) below. 

(5) (Vs € ^F)(V«m € Af)(39l € M)(Vvp(p..PiJ € F) 

(+) meontn(v>) = n»eon»i(v(pi,/s(p„),... ,Pu/j(Pi»))) • 
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3.1. BASIC CONCEPTS 



Let i € be the natural extension of s to F. Then (+) says Tnean^{ip) = 

meansxiHv))- ^ property holds, then we say that the logic '£ has the 
semantical sitbsiituiion property' (the model 91 is the substituted version of SR 
along substitution s). < 

Recall that if 91 and !8 are two sinular algebras, then Fom(Sl,9B) denotes the set of 
all homomorphisms from 91 into 93. 

REMARKS 3.1.1.1: 

(i) An equivalent form of (+) above is the very natural condition 

(Vh e Hom{F,F)) (V«m € M)(39l € M) meann = meangi o h. 

Since h is just a substitution, this form makes it explicit that 91 is the h- 
substituted version of fOl. Other equivalent version is the following. 

(V9JI € M)(yh € t?ieanjBi(i^)))(39l € M) mean^ = h. 

(ii) Item (2) of Definition 3.1.1 above is a purely logical criterion. Namely, it is 
FVege’s principle of compositionality. 

(iii) Item (3)(i) and (ii) of Definition 3.1.1 above give the following connection between 
^ and mean: 

i'iifi E F)[\=tp (V9JI € Af) meang/tiv) = meanm{Tnie)]. 

(iv) In the presence of (3) of Definition 3.1.1 above, semantical substitution property 

((5)) implies substitution property ((4)). < 

EXERCISE 3.1.1: Show that Cni Cst S5, ^Carwo &Dd Carwrl strongly nice 
logics. (Hint: In each case, is good for ”V”.) < 

EXERCISE 3.1.2: Show logics where "V” is not our old biconditional '’t-*”. (E.g., 
in 55 we can also take □($] $ 2 ) as $iV$20 ^ 

DEFINITION 3.1.2: (Algebraic Counterpart of a Logic) 

Let C = {F,M, 1=) be a logic satisfying conditions (1),(2) of Definition 3.1.1 above. 

(i) Let K CM. Then for every £ F 

ip if) (V9H € K) meangaiv) = »>»e««aH(V’)- 

Alg,(i:)1 l'l{F/~K: XCM}. 

(“) , . 

Alg 2 (>C) = I |Tnean«(F) : ffll € m} , 

where meanga was defined in item (2) of Definition 3.1.1, and for any homomorphism 
h : 91 —* 93, h(9l) is the homomorphic image of 91 along h i.e., /t(91) is the smallest 
subalgebra of 93 such that h : 91 —» ^(31)- 
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3. BRIDGE BETWEEN LOGICS AND ALGEBRAS 


FACT 3.1.2.1: For nice logics 

Alg,(£) = l{F/~r: TCf}, 

where ^ ^ 4^ (V311 € ^ F =» meangi( 9 ) = meanni^))- 

Proof: For every K Q M Ff Fj '^Tk(K)t fo*' every F C F F/ 

P/ '^MoUD (cf< Definitions 2.2 and 2.6). < 

EXERCISE 3.1.3: Show that for any logic C satisfying conditions (1 ),(2) of Definition 
3.1.1 

• Alg2(r)CAIg,(i:) 

• SPAIg,(/:) = SPAIga(£). <4 

Recall the definitions of the class BA of Boolean algebras and of the class Csi of 
one-dimensional cylindric set algebras. 

EXERCISE 3.1.4: Prove that 

(i) Alga(£5)=BA 

(ii) Alg3(55) = Cs]. ◄ 

The class RRA of representable relation algebras and its relativized version will be 
introduced and investigated in Chapter I There we will see that Aig 2 (£ARWRL) coincides 
with the relativized version of RRA. 


* * « 


Next we turn to inference systems. Inference systems (usually denoted as h) are 
syntactical devices serving to rec^tme (or at least to approximate) the semantical 
consequence relation of the logic C. The idea is the following. Suppose 
This means that, in the logic £, the asstimptions collected in E semantically imply the 
conclusion tp. (In any possible world 9R of £ that is, in any 9R € Me, whenever E is 
valid in 9R, then also ip is valid in 9R.) Then we would like to be able to reproduce 
this relationship between E and ip by piirely syntactical, “finitistic” means. That is, by 
applying some formal rules of inference (and some axioms of the lo^c C) we would like 
to be able to derive ip from E by using “paper and pencil” only. In particular, such 
a derivation will always be a finite string of symbob. If we can do this, that will be 
denoted by E (- ^. 

DEFINITION 3.1.3 (Formula Scheme): 

Let £ be a nice logic with the finite set Cn(£) of lopcal connectives (cf. (1) of 
Def.3.1.1). Fix a countable set A = {Aj : i < fa;}, called the set of formula variables. 







3.1. BASIC CONCEPTS 



The set Fmsc of formula schemes of £ is the smallest set satisfying conditions (a-b) 
below. 

(a) A C Fmsc, 

(b) if c € Cnk{C) and 4],.. € Fmsc then ,♦*) € Fmsc- 

An ifutanee of a formula scheme is given by substituting formulas for the formula 
variables in it. < 

DEFINITION 3.1.4 (HUbert-style Inference System): 

Let C be a nice logic. An inference rule of C is a pair ((Bi,... where every 

-Si (* ^ n) is a formula scheme. This inference rule will be denoted by 

Bit.-., Bn 

Bo 

An instance of an inference rule is given by substituting formulas for the formula 
variables in the formiila schemes occurring in the rule. 

A HUbert-siyle inference system (or calculus) for £ is a finite set of formula schemes 
(called axiom schemes) together with a finite set of inference rules. ^ 
DEFINITION 3.1.5 (Derivability): 

Let £ be a nice logic and let h be a Hilbert-style inference system for £. Assume 
S U {^} Q Be. We say that ip is I —derivable (or provable) from S iff there is a finite 
sequence {ipi, ..,, tp„) of formulas (an I —proof of tp from S) such that is ^ and for 
every 1 < t < n 

• € S or 

• is an instance of an axiom scheme (an axiom for short) of h or 

0 there are ji,...,jk < *, and there is an inference rule of h such that is 

an instance of this rule. 

We write E H- y if is h-provable from E. (We will often identify an inference system 
f~ with the corresponding derivability relation.) < 

DEFINITION 3.1.6 (Complete and Sound Hilbert-type Inference System): 
Let £ be a nice logic and let I- be a Hilbert-type inference system for £. Then 

• h is weakly complete for £ iff 

(Vv> £Fc) ^c<p ^ I" 

• h is finitely complete for £ iff 

(VE Fc)(Vy. € Fc) E )=£ v’ =► S h 

that is, we consider only finite E’s; 

• i- is strongly complete for £ iff 

(VE C Fc)Q/(p € Fc) E V ^ ^ 'Pi 

• h is weakly sound for £ iff 

(iip € Fc) I- ip \=c 'Pi 

• h is strongly sound for £ iff 

(VE C Fc)(V¥> € Fc) E h E^=c^. < 
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3.2. MAIN THEOREMS 

THEOREM S.1.1 (Strong CompletenoM of Cs nnd 55). There ere strongly 
complete end strongly sound Hilbert-type inference systems for Cs and for 55. 

We will prove this theorem in section 3.2 below, using ntethods of Universal Algebraic 
Logic. I 

We will also prove in section 3.2 that the arrow logics introduced in Def.2.4 also admit 
strongly complete and strongly sound Hilbert-tyoe inference ssrstems. 





3.2. Mein theorems 




In Theorem 3.2.1 below, we will give a sufficeut and necessary condition for a strongly 
nice logic to have a finitely complete Hilbert-style inference system. 

THEOREM 3.2.1. Assume C is strtmgly nice. Then 

generates a Bnitely sjaametisable quasivahety 

(3 Hilbert-style H)(l- is bnitely complete and strongly sound for £). 

Proof of (=>): Let denote formula mriables, ro,ri,... denote formula 

schemes, $ denote sequence of formtila variables and 7 denote sequence of variables. 
Assume that Ax is a finite set of quasiequations axiomatizing the quasivariety generated 
by Alg 3 (£) and define a Hilbert-style inference qrstem as follows: 

Axiom scheme: («oV*o) { rtfleximiy). 

Inference rules: If (Tj(y) = t[{y) & ••• & T,(y) = T;(y)) =► to( 5) = ri(x) € Ai, 
then 

ri(?)Vr;(?),...,r,(¥)VT:(¥) 

ro(?)Vr'(¥) 

is a rule. Other rules are: 


♦oV#i, ♦iV^j 

♦oV#2 

«iV«o 


(transitivity), 

(symmetry). 


(Vc€C».(£)) 


♦oVlVae 


♦«V2Vae' 


We will show that the inference system \-as is finitely complete and strongly sound 
for C. 
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3. BRIDGE BETWEEN LOGICS AND ALGEBRAS 

For any aet £ of formulas we define V' V** S (V’VV’')- Note that, by the 
definition oi i~Aa •&<! by Definition 3.1.5, ~e is a congruence relation on F for any £. 

A# 

Claim S.2.1.1: (F/'^z) N 

Proof of Claim 3.2.1.1: Let q € Ax. Then it has the form 

(T|(5) = T,'(y) k ■ ■ L T,(J) = <(*)) ^ To(x) = Ti(y) . 

Let 2 = (F/ ~e). We want to prove that, for every valuation k of the variables into 

a,aN9(*l 

So let I; be an arbitrary valuation into 2. Then (Vt € u) k{xi) = *Pi/^z for some 
(fi € F. Assume that 

21 N ’■J k ■ ■ ■ k Tn (v>/~e) = K (v>/~e) • 

Then 

21 h (’■i (!?)) / ~E= (t[ (^)) / ~e & • • • k (r« (^)) / ~E= (t^ (^)) / ~Ei 
since ~e u a congruence on F. Then 

Ti (ifi) ~E r,' (9),..., T„ (y) ~E K (^). 

that is, 

S Ha. r, (^) Vt[ (?f),..., E h a, t« (^) Vr^ (^) 
by the definition of ~e* In l~Ast ^ bave the following rule (corresponding to 9): 

^1 (^) > • >. 

to(5)Vt^(5) 

Using this rule, we obtain that E I-ax tq (ip) Vtq {Jp). Then tq {jp) "''e (^), whence 

21 N (^0 (^)) / ~E= (to (v)) / ~E that is, 2 ^ To {^f ^e) = Tq ~e) that is, 
2 To(x) = To(i)[ifc]. By this we proved Claim 3.2.1.1. I 
Clum 3.2.1.2: For any formulas poly’ll* 

{tpi ... ,9>„} h 9>o Alga(r) ^ ((pi = IVae k • • • k ipn= True) ^ {<po = IVae). 
Proof of Claim 3.2.1.2: Assume 

• • • >Pm)»... 1j • • • »Pii»)} 1^o(Pl> • • • »Pm)- 

Let 2 e Alg3(X). Then 2 = meanaii(F) for some SDl € M. Let ib € be arbitrary. For 

Jksit 

every 1 < j < m we denote kj = k(pj). Clearly for every 1 <j <m fc, = mamnilj) 
for some 7,- € F. For every 0 < » < n 

..., tm]* = ¥»t[n»M««l(7i )>•••> = meanat(<pi(7i , • • •, 7m)), 


# 
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ainoe mMnn is a homoinwphigm. 

Aasume for every 1 < t < n that 91 ^ = TVvefi). 

<=> meangR(v>i( 7 i,...,7»') - ««•*»«( IVae) (1 < i < n) 

(by Def.3.1.1 (5)) => (991) mean^(<pi) = mear .i{Tr%e) (1 < « < n) 

(by Def.3.1.1 (3)) .«=^ 91 h V>< (!<»<«) 

(by our assumption) => 91 {= 

(by Def.3.1.1 (3)) ■<=> — mea,n^(Tr%e) 

(by Def.3.1.1 (5)) => meanai(v>o( 7 i.- -. 7 m)) = meanai(IVae) 

<=> a h V>o = IVaefl:], 

proving Claim 3.2.1.2, since k was chosen arbitrarily. | 

Now let £ {^it • • • an<l assume £ ^ ^o- Then, by Claim 3.2.1.2, 

Alg 2 (jC) N (^1 = True ie • • • ie <Pm = True) =» (^o = IVtie) 

=> Ax (^1 = IViie ic • • • ie (pn = True) => (^o = TVae) 

(CUiB^a.i.i) ^ _ 2 yiie gj ... ^ (p^— True) =» (^o = IVae) 

[if (^1 True,...,tpn^z True) then ipo IVue] 

■«=► [if (£ Kx, <pi^True ,...,£ I- 4 , ip^VTrue) then £ 1-^, ^oVIVae] (•). 

By the rule ^ave £ Ha* v>iV2Vue,...,£ Hx* tpn'^True. Thus, by (a), 

S Ha* ^oVIVae. Now using the rule *‘ 4 ^* we get £ Ha* v’o* proving the finite 
completeness of Ha*. 

The strong soundn e ss of Ha* can be proved by induction on the length of the Ha*- 
proof of (po firom {^ 1 ,... We only show one part of the induction step, namely 

the case when fpo is ’obtained’ by an inference rule corresponding to a quasiequation 
q € Ax. Say q has the form 

(t,(x) = T{(ar) & • t Tk(x) = Ti(x)) => To(x) = Ti(x) , 

where 7 = (zi,..., x^)* Then the corresponding inference rule is 

.,(?)Vri(t)..t(?)7Ti(T) 

ro(?)VTi(?) 

Assume that ipo is obtained by this rule by substituting the members of the sequence 
7 = ( 71 ,...,7m) of formulas for the members of the sequence ¥ = (4i,...,¥m) of 
formula variables, i.e. <pe has the form ro( 7 ) = t^^). 

Now fix a model !Dl and assume that 

2 W N n(7)VT,'(7),... .ffll ^ n(7)Vr;(7). 


# 



# 
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3. BRIDGE BETWEEN LOGICS AND ALGEBRAS 

We have to show that !Dl ’■o(T)Vto(=7 ). 

Let 91 ^ meangpt(F) € Alg 2 (£). and let /b be a valuation of 91 such that for every 
1 < t < m k{xi) ^ meanggi( 7 i). Then by Definition 3.1.1 (3)(i) 

meanai(Tj(7)) = mean«(Tj(7)) (1 < j < k) 

<=> 91 Ti(J) = T,'(r) Ic • ■ • L Tkix) = Tj(l)[*:] 
(byAlga(£)|=Ax) =>7L ^ ro(J) = r‘{J)[k] 

(by Def.3.1.1 (3)(i)) ^OR h ro( 7 )Vri{ 7 ). 

This completes the proof of direction of Theorem 3.2.1. 

Proof of ('<=): Let ,..., denote formula variables, tq, ri,..., denote formula 

schemes, let $ (4i,..., im), and let z (xi,..., Xm) be a sequence of variables. 

Assume that h is a finitely complete and strongly sound Hilbert-type inference system 
for the logic £, and define the finite set Ax of quasiequations as follows: 

- K tq(9) is an axiom scheme of h then let "ro(x) = True” belong to Ax. 

- If inference rule of h then let 

“(ri(x) = TVite & • • • & rt(x) = JVac) =» to(x) = True” belong to Ax. 

- Let “(xo = xi) =» (xqVxi = True)” and “(xoVxi = IVtie) =» (xo = xi)” belong 
to Ax. 

We will show that Ax axiomatizes the quasivariety generated by Alg 2 (£). 

Claim 3.2.1.3: Alg 2 (£) ^ Ax. 

Proof of Claim 3.2.1.3: Alg 2 (£) (xoVxi = IV«e) (xo = xi) obviously holds 
by Definition 3.1.1 (3). 

Let (Ti(jF) = TVite & ••• k Tfc(i) = IV««) =» To(x) = IVue belong to Ax, let 
91 € Alg 2 (£) and let ib be an arbitrary valuation of the variables into 91. Let SR be such 
that 91 = meanm{F). Then for every i £ u k{xi) — meanmivi) ior some ipi £ F. 

Assume that 

91 ^ T-i(x) = True k ••• k t*(x) = IVue[jbJ. 

Then by Definition 3.1.1 (3) 

(••) 9R^ry(xi/v»i,...,Xm/v>m) (!<><*)• 

But is an inference rule of h, therefore I- to(^). This 

^(♦) _ ^ 
implies by the strong soundness of 1- that to(v>). Now, by (••) 

above, SR ^ hence again by Definition 3.1.1 (3), 91 ^ toCx) = 7V«e[fcl, whi(^ is 

desired. | 

Claim 3.2.1.4: For any quasiequation q of form ti = Tj k • • • k Tn = => to — Tq 

Alg2(^)|=9 => {nVr,T,VO ^ ToV t^. 
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Proof of Claim 3.2.1.4: Anume that for every % € Alg 3 (£) and for every valuation 

ah#). 

Let 9R € M such that SDl ^ {‘>'iVr|',...,raVr^}. Then by Definition.. 3.1.1 (3)(i) 
meangt(Ti) s mean 9 R(r/) for each 1 < i < n. Now let a € Alg 3 (L) be such that 

mesfigi(F) = a and let b € be such that for each p£ P k{p) ^ meanwtip). Then 

ah(r,=r| k ••• k r. = r:)[t]. 

which implies a ^ (tq = rg)[i] by our assumption. This is the same as meangi(ro) = 
meang((ro), thus again by Definition 3.1.1 (3)(i), !Bt which proves Claim 

3.2.I.4. I 

Claim 3.2.1.5: For any formulas 

{^ 1 ..., Ax = True k • • • k v>n = IVue) =► (^o = IVue). 

Proof of Claim 3.2.1.5*. It can be proved by induction on the length of the h-proof 
of ^0 from {^ 1 ,... ,^m}. We only show one part of the induction step, namely the case 

when (fio is ’obtained’ by an inference rule where ¥ = (^j,..., ♦«)• Then 

there are formulas 7 i,... ,7m such that (po = 'ro( 7 i,...,7m) and for every 1 < t < 1; 
{v^i,... ,^n} '>’i(7)- Then by the induction hypothesis 

(1|) Ax\ss = True k • • • k (pn= TVue) =► ri(’f) (1 < i < k). 

By the definition of Ax 

(llll) Ax f= (ti(*) = IVae & • • • & t*(*) = 2Vae) ^ to(z) = IVtte. 

Let be an algebra with VS ^ Ax and let 1; be any valuation of the variables into B. 
Now we can define a valuation fc' with fe'(xj) ^ 7il^l* (1 < i < ”»)• Then for every 
0 < * < i T<(x)(fc']* = Ti( 7 )[*]*. Thus, by (1|) and (W), 

tB (^1 = J'wc k • • • k <Pn= True) => to( 7 ) = IVueffc], 

which was desired. | 

Now assume that 

Alg3(r) ^ (n = r,' k ' • • k Tn = r') =► tq = Tq. 

.r„Vr;} |= roVr' 

(*““• Vri,... ,r„VT;} I- T„Vri 

(cui^2.i.5)^ ^ = IWe & & t,Vt: = IVae) =► toVt^ = IVae. 
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But, since = True zq == ^i” belongs to Ax, this is eq\uval«at to 

At 1= (ti = T,' k • • • k T„ = T^) =» To = Tq, 

completing the proof of direction of Theorem 3.2.1. | 

Having found the algebraic counterpart of ‘‘finitely complete”, let us try to char¬ 
acterize ‘Sweakly complete”. Since weak completeness is slightly weaker than finite 
completeness, we have to weaken the algebraic counterpart of finite completeness for 
characterizing weak completeness. This way we obtain condition (*) below, where Eqc 
and Qeqc denote the set of all equations and the set of all quasiequations, respectively, 
of the language of Aig 2 (£). 

(*) i3Ax C,, Qeqc) [(Ve € Eqc) (Alg,(£) ^ e => Ax ^ e) k Alg,(r) |= Ax ]. 

THEOREM 3.2.2. Assume that C is nice. Then 

(*) <=> (3 Hilbert-style l-)(h is weakly complete and strongly sound for C) ■ 

In particular, if the equational theory of Alg 2 (£) is finitely axiomatizable, then £ 
admits a weakly complete Hilbert-style inference system. 

Proof: It is similar to the proof of Theorem 3.2.1. The only important difference is 
that Theorem 3.2.2 already holds for nice logics. However, the only part of the proof of 
Theorem 3.2.1 which used the additional criterion for strong niceness (Definition 3.1.1 
(5)) was Claim 3.2.I.2. Below we state the corresponding weaker claim and prove it 
without using condition (5) of Definition 3.1.1. 

Claim 3.2.2.2: For any formula ^ 

}=V:==>Algj(£)|=(v:=2He). 

Proof of Claim 3.2.2.2: Assxime \= v>(po,.-•,?•.)• Let a € Alg 2 (I-). Then a = 
meanas(F) for some Tl £ M. Let fc € ^A be arbitrary. We denote ho t(po)> • • • > 

jfc„ k{p„). Clearly (Vi < n){ki = Tn«in»i( 7 j) for some 7 ^ € F). 

V>[fco,..., hn]* = v(TOeanaz(7o), • • •, T»eanjDt(7n)l* = meonai (v>(7o, • • ■, 7n)), 
since meangi is a homomorphism. 

N v(poi • • • >Pn) implies, by Definition 3.1.1.(4) (substitution property), that 
f= ^( 70 ,..., 7 n). Thus by Definition 3.1.1 (3) 


meanmMyo , • • •. 7n)) = meenai( 2V«e). 

But meon«(v>( 7 o, • • •, 7n)) = • • •. *»]* “d meonjDi( IWe) = IVne®, thus 

V>[fco,..., fc»]* = True*. Thus we have a ^ (v> = 2Vite){hl, proving Claim 3.2.2.2, since 

k was chosen arbitrarily. Thus we also proved Thecnem 3.2.2. | 



• • 
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EXERCISE 3.2.1: Give weakly complete and sound calctili for the logics £s, 55, 
^ARWo and £arwrl- (Hint: Use that the SP-closuie of the Alg 2 -image of these 
lo|pc 8 are finitely axiomatizable varieties, so («) b satisfied. For the arrow logics, finite 
axiomatizability of the corresponding varieties will be proved in chapter I) < 
DEFINITION 3.2.1: Let £ = (F,Af,h> be a nice logic. We say that C has a 
iedueUon theorem, iff 

(3(*, A*j) € Fms£)) (VE C F)(Vv>, € F)(E U {y)} |= 0 E f= , 

where "tpAip” denotes an instance of scheme Such a is called a 

deduction term for £. M 

THEOREM 3.2.3. £5 and 55 have deduction terms. 

Proof: It is not hard to show that ”#1 —* ♦!" and ► □♦a” (where □ is the 

abbreviation of are suitable deduction terms for propositional logic and 55, re¬ 
spectively. I 


The following theorem states that for any nice lo^c the existence of a deduction 
term and that of a weakly complete Hilbert-style calculus provides a finitely complete 
inference system. 

THEOREM 3.2.4. Assume £ has a deduction theorem, and (3 Hilbert-style h) 

(b is weakly complete and strongly sound for £). Then 


(3 Hilbert-style f-)(H is Bnitely complete and strongly sound for £). 


First we note the following fact (its proof is straightforward by the assumptions on 
A). 

Fact 3.2.4. 1 : The inference rule modus ponens w.r.i. A (MPa) that is. 


(MPa) 


4A4 


is strongly sound for £. | 

Proof of Theorem 3.2.4: 

Assume that (3 Hilbert-style l~)(i- is weakly complete and strongly sound for £). Let 
such an inference system be fixed and let us add (MPa) to it. We denote this (extended) 
inference system by H, too. 

To prove finite completeness, assume N Then, applying the deduc¬ 

tion theorem n -I-1 times, we get: 


{<P0, • . • , <Pn-2} f= iV>n-lA{ipnAlf>)) 


(v>0 A(v>i A... (v»n AV') •..) • 
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Then H 70 by weak completeness of Then, using (MP^) n + 1 times, we get; 

{v?o} ^ {90,70} •" •) 

----- • 

y\ 

{90,91) •“ {91,71} 9 jA(v» 3 A...( 9 »AV>)...) 

> ■ V " 

7 * 

{9o,9i,---i9i.} {9«,7ii} *" , where 7„ = (v>,AV'). 

Thus we received the following I —^proof of V* from {^ 0 , • • •, 9 n}: 

<7o,9o,7i,9i,7J,9a,---,7n9n,V>>, * 

which proves Theorem 3.2.4. | 

DEFINITION 3.2.2; Let £ = {F,M, |=> be a lope. We say that 

(i) £ is saiiafiahUiiy compact (sat. compact for short), if • 

(VT C F)[(VE Qu T) (E has a modd) =» (F has a model)}, and 

(ii) £ is conaeqaence compact (cons, compact), if 

r v’ => (3E F) E 1= Ip, for every F U {9} C F. M 


•4 

EXERCISE 3.2.2: Prove that even for nice logics we have 

(1) satisfiability compact jLsp. consequence compact; ^ 

(2) satisfiability compact consequence compact. 

(Hint for (1): Let the logical connectives be V (binary), and 7V«e,all 
zero-ary. A model SH is a function BJl: { Truc,pi, tj : t € w} —» {0,1}. mecnas( TVtte) = 

1 for every OR and meaning of V is the standard meaning of the biconditional *-*. ^ 

Exclude those models from M in which (V * > 0) 2R(fc*) = 1 but SR(ko) = 0. [This 
logic is not strongly nice!] Observe that for SR = {Trac,pi,ki ; ; € u;} x {1} we have 
SR ^ Fc’ Hence sat. completeness trivially holds.) 

(Hint for (2): Let £ have 2Vue and V as the only logical connectives. Ebcclude 
the models Sn with SR ^ Fc. Then sat. completeness fails (we have infinitely many ^ 

propositional variables). Show that cons, completeness remains true.) < 

EXERCISE 3.2.3: Find natural conditions imder which and/or of Ex¬ 
ercise 3.2.2 above hold. 

(1) We say that £ hot weak false if (3^ € Fc) such that (VSR € M) SR ^ Show 

that under this assumption ^ 

cons, compact => sat. compact. 
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(2) We say that £ has negation if 

(Vv» € F)i3xi> e F)i\m € M)[m h an v>]. 

Show that under this assumption 

sat. compact cons, compact. 

(3) Try to find weaker sufficient conditions. 

(4) Show that for nice logics 

£ has weak false <=> £ has negation. 

For the whole matter [ANS84] might contain useful info. -4 


m 









* * * 




Recall that in Definition 3.1.1 above (and also in the logics studied so far), there was 
a parameter P, which was the set of atomic formulas. The choice of P influenced what 
the set F of formulas would be. Thus in fact, our old definition of a logic yields a family 

{(P^,M^, : Pis a set} 

of lo^cs. The members of this family do not differ significantly except that the cardi¬ 
nality of P matters sometimes. 

DEFECTION 3.2.3: (General Logic) 

A general logic is a class 


L = {£" ; a is a cardinal), 

where for each cardinal a £** = (P", Af**, ^") is a logic in the sense of Definition 2.1 
that is, P“ is a set, is a class, and f=®C x P“. 

L is called a (strongly) nice general logic iff conditions (1-3) below hold for L. 

(1) £° is a (strongly) nice logic (cf. Def.3.1.1) for each cardinal a. 

(2) For each cardinal a the set P** of atomic formulas of the logic £** is of cardinality 
a. If a and A are cardinals with A < a then P^ C P" (which implies that 
jtA c F«). 

(3) For all cardinals A < a 

{mean^ : SW € M^} = {(meanj^) f P* : e M“} , 

(cf. item (2) of Def.3.1.1 for mean). Intuitively, this requirement says that £^ is 
the ‘‘natu^’’ restriction of £‘*. < 
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REMARK 3.2.3.1: As a corollary of item (3) of Definiton 3.2.3 above we note that 
for all cardinal o, A, if F U {(p} C F° then 

r|=“v» rf=*v»- < 

DEFINITION 3.2.4 (Algebraic Counterpart of a General Logic): 

Let L s= {r** : a is a cardinal} be a nice general logic. Then 

Algi(L) =* {Algi(£“) : a is a cardinal) , 

Alg 3 (L) {Algj(£‘*) : a is a cardinal} 


(cf. Def.3.1.2). <4 

THEOREM 3.2.5. For strongly nice general ipgics 

Alg,(L) = SPAIg2(L). 

Proof: First we prove that for any nice logic C = (F, Af, ^), Algi(£) C Alg 2 (£). We 
note that if K is a subclass of M then there is a subset K* C K such that F/ 

F/ (this holds because F is always a set). Now let K be any subclass of M and let 

K' C K has the property above. Then function h below is a one-one homomorphism 
(i.e. an embedding) of F/ into Pjng/r'n^Mna)t(F). For each (fi e F 

~k)^ {meanm(<p) : SDl € K'). 


Next we prove that SPAIg 2 (L) C Algi(L). Assume 21 C ProeK’ntettn«(F*) for some 

cardinal A and set K C M^. Let a |21|, fix any bisection from the set P** of atomic 
formulas of C° onto A and let h : F" 21 be its natural extension to a homomorphism 

onto 21 . 

Claim 3.2.5.1: For every 9R € A' there is some 91 € M° such that 

(Vp € F“) mean^ip) = h{p)m, 
where h{p)m denotes the member of the sequence h{p). 

Proof of Claim 3.2.5.1: Fix any fJJl e K and assmne that /t(p)gDt = mean^iy^) 
for some formula 7 J, € F^. Then, by (3) of Def.3.2.3, there is some 91' 6 Af“ with 
mean^iy^) = mean^,{y^). Let sja : F® -» F“ be the substitution defined by 

(•) 

Then condition (5) of Def.3.1.1 gives a model 91 € M® with mean^(p) = mean^,{y^). | 
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Now for each SR € if we can d^ne a nonempty class M(SR) C M“ as follows. 


M(aR) = {Sl€M“ : (Vp€P*)meena(p) = Mp)«}- 


Let if' = U {M(3R) : SR € if}. 

Cbum 3.2«5.2: F**/ SI. 

Proof of Claim 3.2.5.2: Fix an SR € if and let sn be the substitution in (•) above. 
It can be proved by induction on the complexity of formulas that for any formula ip € F** 
and for any 91 € M(SR) 

h{tp)n = mean^{(p(sm)) = mean^(v>), 

where ^(sgi) is obtained from ip by substituting sn(p) for each atomic formula p oc¬ 
curring in ip. Now h gives the required isomorphism between F**/ ^k' since for 

all formulas ip,ilf £ F** 

h{(p) = h(V>) iff (p ^K‘ l/», 
which proves Claim 3.2.5.2. | 

Now, since F®/ Algj(£“), the proof of Theorem 3.2.5 is completed. | 

DEFINITION 3.2.5: A general logic L =: : a is a cardinal} is satisfiability (con¬ 

sequence) compact if for each cardinal a the lo^c £® is satisfiability (consequence) 
compact. < 

For an arbitrary class K of algebras, 


UpK = I {Pjg/Sli/F: F is an ultrafilter over the set /, and (Vt € 7)21,• € K) . 

We say that K is Up-closed if UpK C K, in other words, K is Up-closed if it is closed 
under taking ultraproducts. 

Our next theorem gives a stifficent condition for sat. compactness of a general logic. 
THEOREM 3.2.6. Assume L is a strongly nice general logic. Then 

(Algi(L) is Up-cJosed) (L is sat. compact). 

Proof: We let L = {£® : a is a cardinal) We give a proof for the compactness of = 
(F^, Af^, For other cardinals the proof is similar and is left to the reader. Asstune 

rc F" and 

(VE C^, F) E has a model. 

Then we may assume that F = }n€w and 

(Vfc € w)(39R* € M“) 9R* K {V’o, • - -, V’t) - 
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Let such SWt’s be fixed. Let meank =* mean^^. Let Sl^ =* meonk(F") € Alg 2 (L). 

Then Sit € Aigi(L) also holds (cf Exercise 3.1.3). Let be the set of atomic formulas 
of £‘^. Then the function meant : —* Ak is a valuation of the variables into Sit- Let 

be a non-principal ultrafilter over u;, and let SI denote the ultraproduct 

of algebras SI* w.r.t. P. We define the function v : u —► A as follows: 

u(i) =* (meant(pj) : i € u>)/.^. 


See Figure 3.1 below. 


% 



m 






By assumption, 9Jlt every i < k. Thus, for every t < ib € u;, we have the 

following: 


• • 


N" v>i 

$ by Definition 3.1.1 (3)(ii) 
an* 2VueVv>< 

$ by Definition 3.1.1 (3)(i) 
meant(2Vue) = meant(v>,-) 

21* N ivi = IVtte)(mettnt]. 

We derived that (Vfc € a;)(Vi < fc) 21* (^i = 2Vne)(meanfc], i.e. for every i € w, 

{i € w : Slfc v?! = 7Vue[meant]} € P. Using Los’ theorem, we have that 

(Vi€u;)Slh(v»i= 

Since by our assumption Aigi(L) is Up-closed, SI € Algi(L). Thus (3 cardinal a > u) 
(3if C Af®) SI = F° ! '^K- Let iso denote this isomorphism. Let 05 "= F“/ and 

let w tso o V (i.e. w is the co>nposition of v and iso). Then 
(V* € w) 05 1= = 3Vue)[ii;] 


that is. 
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(V« € u>) = IV«e[u>]*. 

Let P** denote the set of atomic formulas of £“. Let s : P° —» F** be such that 
for all p € s(p) is an element of the congruence class w(p). For every t 6 u;, let 
be ^i(pio/^(p«o)»---»Pi»/^Cp«,))> where all the atomic formulas (elements of 
/*") occurring in (p, are among {pi,,... ,p<, }. Then for every t € w we have, 

V»i[«(p»«)/ • • •, «(Pu)/ ~/f]* = True* 

•11 (~K i* a congruence on F“) 

V’t(a(p»o)»• • •. -sCPt, ))/ = Thte/ ~K- 

(t) <fii/ = IVtte/ . 

Let !Dl be any model belonging to K. Then for every i € u; we have £Dl Then, 

by (5) of Definition 3.1.1 (semantical substitution property), 

(391' € M‘*)(Vt € u>) mean^,(ipi) = meann.(3Vue). 

Since True and (pi belong to F", by (3) of Def.3.2.3, there is a model 91 € M" such 
that 

(Vt € ut) mean!^((pi) = mean^.(^i) and 
mean^(True) = mean^,{True). 

Then, by Definition 3.1.1 (3), 

(Vi € w) 91 h" V»i, 

which proves Theorem 3.2.6. | 

Oiir next theorem states that the condition of Theorem 3.2.6 above is sufficient and 
also necessary for cons, compactness, and so for strong completeness (cf. Theorem 3.2.8 
below). 

THEOREM 3.2.7. (cf. /ANS84; Tbm.2.8) 

Assume L is a strongly nice general lope. Then 

(Algi(L) is Up-closed) ^=> (L is cons, compact). 

Proof of (=>^): One can p'.;8h through the proof of Theorem 3.2.6 for this case, as 
follows. Now we want to prove {tpi : t € from the assumption • • • > 

for each k E u. Change fOtk in the above proof such that Ttk {^Oi • • • > V’i} 
fJJth ji^*^ Drag this r/>” part through the whole argument in exactly the same 
style as >pk” was treated in the original proof. Then in line (f) of the proof above 
we have (Vi € u>) ifij ~k’= True/ •^k Truef for some class K C Af“. 

Now we cannot choose an arbitrary 9R € if but we can infer that there exists some 
3Jt E K such that (Vi € u;) 911 and 99 t/>. Thus, again by (5) of Def. 3.1.1 
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and by (3) of Def.3.2.3, there is an with 91 {ip, : t € a>} and 91 0, as 

was desired. | 

Proof of (-<=): Fix any set I and assume that for each t € / Sti € Algi(£'^') for some 
cardinal Ai that is (by Theorem 3.2.5), 

ai c ?«€*:. 

Now let A Is sup{Ai :i £ I] and define K C as 

K =* {91 € : (3i € I)i3an € Ki) mean^ = mean^ \ F*“ } . 

Then =* Pi€/ai C Pgtgxmean^(F'^) by (2) and (3) of Def.3.2.3. 

Let a ^ 191, fix any bijection from the set P*‘ of atomic formulas of C** onto P (the 
universe of 9) A = -F" -» 9 ^ natural extension to a homomorphism onto 

9- For each X C I define the congruence Rx of 9 follows. 

Rx = {ia,h)e^P : arJf = 6rJ^}- 

Cbum 3.2.7.1: Let h and Rx be as above. Then for any X C I there is some 
Mx Q such that 

(i) (Vv>,0 € F°) [(Mv’)iMV’)) € Rx •«=► <P V»]; 

(u) if JC C y C / then Mx Q My Q M“. 

Proof of Claim 3.2.7.1: Recall that 9 Q Fix some X C I. 

Then %1/Rx — Pi€xa,- obviously holds. Thus there is some Kx C K such that 
VIRx C PasgAx meon^(F^). 

Now it can be proved (cf. Claim 3.2.5.1) that for every Tt € Kx there is some 91 € M“ 
such that 

(Vp € P“) mean5(p) = h{p)n, 

where h{p)m denotes the member of the sequence h{p). 

For each 971 € Kx we can define a nonempty class M(S7l) C as follows. 

Af(9n) {91 € M* : (Vp € P") mecn§i(p) = h(p)»,}. 

Let Mx ^ U {Af(®l) : SW € Kx}- Then Afx has property (ii) above by definition. It 
can be proved that Mx also has (i) (cf. the proof of Claim 3.2.5.2). | 

By Claim 3.2.7.1 (i) above and by Fhct 3.1.2.1, for each X C I there is a set Fx Q F° 
such that 

(Vv>,V’ € P“) [(h(¥'),Ml^’)) € Rx ~rjr V>]- 

Moreover, by (ii) of the above claim, for any XyY Cl, 

{*) XCY TyQTx- 
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Claim S.2.7.2: Let T be any filter on / and let F ^ (J {Fx : X € ^}. Then for every 

(3Jf E^)ip ~r* 

Proof of Claim 3.2.7.2: 

First, assume that (BX £ ip V*- Then, since Fx C F, ^ ~r 0 obviously holds. 
On the other hand, assume ip Then F ipVii>. Then, by the cons, compact¬ 
ness of C**, there is some A F with A Say, A = {xo, • • • .Xn-i}- Since 

A C F, (Vj < n)(3J:, € .F) Xj 6 Fx^. Let X = J < "}• Then X £ 2^, since 

.F is a filter. Now A C Fx* U • • ■ U Fx,_, Q Fx holds by (*) above, thus Fx |=“ 
which implies <p ~rx V*- I 

Now we want to prove that ^P/.F £ Algi(L). We show that ^P/.F S F“/ ~r- That is, 
(V^, ijf £ F“) h(tf>) <=> ip ~r V*] 


holds. Indeed, 


Mv) MV*) 

^ i3X£n{hiip)Mrl>))eRx 

CUJm 8^7.1 (i) 

(3Jt € F) v> ~rjr 

CUim3,3.7.3 , 

^ <P '^T 

which completes the proof of Theorem 3.2.7. We note that we proved that Alg](L) is 
closed under taking arbitrary reduced products (not only ultraproducts). | 
THEOREM 3.2.8: 

Assiune L = {£‘' : a is a cardinal} is strongly nice general lope. Then 
Algi(L) is a finitely axiomatizable quasivariety 
«=► 

(3 Hilbert-style l~)(V cardinal a)(l- is strongly complete and strongly sound for C^). 

To prove Theorem 3.2.8 we need the following clium. 

Claim 3.2.8.1: For every cardinal a>uf and fm every quasiequation q 

Mg2{C^)\=q =► Alg2(L)|=,. 

Proof of Claim 3.2.8.1: Fix a cardinal a and a qrianequation q with Aig 2 (£*‘) ^ q. 
Let 91 € AlgaCiC"*) for some cairl’nal a. Then there is some SDl € with 3 = 
meen5i(F“). 

First assume that a < a. ; (3) of Definition 3.2.3, there is an (91 € Af") 

mean^ f F° — mean^. Then A C meen5|(F®) € Alg 2 (£“), thus 91 ^ g, since 

quasiequations are preserved under taking subalgebras. 
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Now let a > a and assume that SI ^ 9 [i;] tat some evaluation k of the variables. Say, 

let k{xi) =' mean^( 7 i)) (1 < t < n), assuming that zi,...,Zn are the only variables 
occurring free in q. Assume that the atomic formulas occurring in the formulas 7 i,..., 7 n 
are among Pi,,... ,pi^ and let s be the following substitution: 

(VI <j <m) s(pj)^Pi^. 

Then, by (5) of Definition 3.1.1, 

(391 € M“)(V1 <i<n) mean 5 ,( 7 i) = meattS( 7 i(pi, /pi,... ,Pi^/pm))- 

By (3) of Definition 3.2.3, (391* € M“) mean^ f F** = mesn^,. Now, let SB *= mean^, 

and let k'(zi) mean^,( 7 ,-(pi,...,p,n))- Then SI ^ implies 35 which 

contradicts to 33 € Alg 3 (f!"). | 

Proof of (=^) of Theorem 3.2.8: Assume that Ax is a finite set of quasiequations 
axiomatizing Alg 3 (L). Since Aigi(L) = SPAig 3 (L) (cf. Theorem 3.2.5), by Claim 
3.2.8.1 above, Az also axiomatizes the quasivariety generated by Alg 3 (£‘*) for each 
infinite cardinal a. Thus, by Theorem 3.2.1, for each a > u> there is a finitely complete 
and strongly sotmd Hilbert-style inference system I- for £**. Moreover, checking the 
proof of Theorem 3.2.1 one can observe that the same inference system h works for 
every a >ui. We show that for any cardinal A, h is strongly complete for £^. Assume 
that for some FU { 9 } C F* F (p. Then there is some a > w such that Fu {(p) C F“ 
and F (fi (cf. Remark 3.2.3.1 above). Since quasivarieties are U|>-clo 8 ed, is cons, 
compact by Ilieorem 3.2.7. Therefore there is a finite subset D of F such that S 1=" <p. 
Thxts, by finite completeness D b which implies F K ^ by the definition of derivability 
(Def.3.1.5). I 

Proof of ('^) of Theorem 3.2.8: If I- is strongly complete then it is also finitely 
complete. Thus, by Theorem 3.2.1, the quasivariety generated by Alg 3 (£‘*) is finitely 
axiomatizable for each cardinal a. On the other hand, strong completeness implies cons, 
compactness, as follows. Assxune that for some F U C F° F (p. Then F I- tp, 
which implies by Definition 3.1.5 that there is a finite subset S of F such that E h ip. 
Then, by soundness, S Now, by Theorem 3.2.7, Algi(L) is Up-closed. But by 

Theorem 3.2.5, it is also closed tmder S and P, thus it is a quasivariety. This and the 
fact that the quasivarieties generated by Alg 3 (£‘') are finitely axiomatizable (with the 
same set Az of quasiequations, as the proof of Theorem 3.2.1 shows) imply that Algi (L) 
is a finitely axiomatizable quasivariety. | 

EXERCISE 3.2.4: Show that £5 and 55 have strongly complete and sound Hilbert- 
style inference systems. Give such calculi. (Hint: Use that the corresponding classes 
of algebras (Alg 3 (I<s) = BA and Alg 3 (L 5 s) = Csi) generate finitely axiomatizable 
varieties.) ^ 
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3.3. UNIVERSAL ALGEBRAIC TOOLS 


3.3. Some unhftnal aigtbnic tools (or aigtbnk logic 


So £» we have seen that the algebraic counterparts A]gi(L) of many logics are qua¬ 
sivarieties. However, there are logics for which Aigi(L) is nicer, it is a variety (that 
Algi(£) is closed not mily under S and P but also H). Usually, it is a difficult 
task to prove that a CCTtain class of algebras is closed imder homomorphism. Theorem 
3.3.1 below gives us considerable help by proving that certain quasivarieties are already 
varieties. 

DEFINITION 3.3.1: 

(i) A class K of algebras is said to have a diseriminaier term iff there is a term 
Vi u) the l a ng uage of K such that in every member of K we have 


T(x,y,2,u 





if * = y, 
otherwise. 


(ii) A variety V is called a diacriminaioT variety if the class Str(V) of subdirectly 
irreducible members of V has a discriminate' term. ^ 

EXERCISES 3.3.1: 

( 1 ) Show that if K has a discriminator term then K consists of simple algebras. 

(2) Assiune that the Boolean operations —, A, 0,1 are available in K and that they 
satisfy the Boolean axioms (i.e. every element of K is a Boolean algebra with 
some further operations). Tffis property will be re f erred to as ‘K has a Boolean 
reduci\ Prove that K has a discriminator term iff there is a term c(x) in the 
language of K such that 


c(x) = (°’ 

i 1 , otherwise 

in every member of K. (Hint: r(z, y, z, u) = [c(z © y) A u] V [z A -c(* © y)]. 
Here © denotes symmetric difference.) 

(3) Check how much simplification one can achieve in the proof of Thm.1.3.3.1 below 
imder assuming that K has a Boolean reduct (cf. item ( 2 ) above). < 

THEOREM 3.3.1. Let K be a class of similar algebras. Assume that K has a dis¬ 
criminator term. Then 

HSP K = SPUp K. 


To prove Theorem 3.3.1 we need the following lemmas. 

Lemma 3.3.1.1: Assume that the class K of algebras has a discriminator term. Let I 
be a set and {9L : t € /} C K. Let 91 C Pie/91,- and let 9 € Con(91). For any a,b £ A, 
let Eg(a, 6 ) ^ {* € / : Oi = 6 i}. Then 

(1) (V(a, 6 ),{c,d) € tf)(3(e,/) € 6) EqieJ) = F,{a, 6 ) n F,(c,d). 

(2) (Vo,6,c,d€ A)[((a,6) £6 k Eqia^b) C Fg(c,d)) =► (c,d> € 9]. 
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3. BRIDGE BETWEEN LOGICS AND ALGEBRAS 

Proof of Lemma 3.3.1. 1 : Let r be a discriminator term on K. 

Let {a,b),{c,d) € 8, and let e = T(a, 6 ,c,a), / = r(a,fc,d, 6). Then (e,/) € 8. 

Assume t ^ Eq{a,b) D Eq{c,d). If t Eq(a^b), then a = ai ^ bi fi. t € Eq{a,b), 
then i ^ Eq{c,d), thus a = Ci ^ di = f,. Thus t ^ Eq{e,f), proving Eq{t,f) C 
Eq(a, b) n Eq{c, d). 

Assume t € Eqia,b) PI Eq(c,d). Then a = Ci — d, = /., thus t 6 Eq(e,f), proving 
Eq{a,b) n Eq{c,d) C Eq(t, f). By this we have proved ( 1 ). 

To see (2), assiune (o,b) € 8 and Eq(a,b) C Eq(c,d). By (a,b) € 8, we have c = 
r(a, a, c, d)0r(a, 6 , c, d) = z. We will show that x = d. If Oj = &i, then Ci = di by 
Eq{a,b) C Eq{c,d), hence Xi = d,. If Oi 6i, then x, — di by the choice of r. Thus 
(c,d} € 8, proving ( 2 ). | 

Lemma 3.3.1.2: Let K,/,91i,21,d be as in the formulation of Lemma 3.3.1. 1 . Then 
there is a filter ^ over I such that 

(*) (Va, 6 € A)((a, b) € 8 Eqia, b) € T). 

Proof of Lemma 3.3.1.2: Let K,/,21i,Sl,d,r be as above. Let 

{X C I: X D Eqia,b) for some (a, b) €8). 

We show that .F is a filter over /, as follows. 

T is closed under finite intersections: X,Y ^ T Jf ny D Eq{a, b) n Eq{c, d) for 
some (a, b), {c, d) € d. Then Eq(a, b) n Eq(c, d) = Eq{e, f) for some (e, /) 6 ^ by Lemma 
3.3.1.1 (1). Thus X n y D Eq{e,f), for (e,/) € 8. 

FVom the definition of T it follows that / € /* and that 

(vy C I){3X € ^)[Y DX=^Y€r]. 

We have seen that is a filter over I. It remains to show that ^ satisfies (*) above. # 

Eq(a,b) € T «=» (3(c,d) € 8) Eq(c,d) C Eq{a,b) so, by Lemma 3.3.1.1 (2), ( 0 , 6 ) € 8, 
proving Eq{a, b) G ^ ==> {a, b) € 8. The other direction follows from the definition of 

: f . I 

Recall that for an arbitrary class K of algebras, 

P'K 1= I {Pie/21«/.^: is a filter over the set I, and (Vi € /)2L € K} . 

The following is an easy fact of elementary universal algebra (cf. also e.g. Burris 
Sankappanavar [BS81] or N^eti-Sain [NS81]). 

Lemma 3.3.1.3: Let K be an arbitrary class of similar algebras. Then 

P'K C SPUp K. 

Proof of Lemma 3.3.1.3: Let / be a set, {!!, :* e /} c K, .T a filter over I, • 

a1^P<6/a,/.F€P'K. Let 

U^= {G ‘G ^ ultrafilter over / and G 2 
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U 


Let /» : a — P{Piei%/G :g€U) he defined u h{a/r) = {a/G : G € U). It is not 
hard to check that h is an embedding, therefore !S € SPUp K. | 

Proof of Theorem 3.3.1: Let IB € HSP K be arbitrary. Then there are /, 6, SS 

as in the formtilation of Lemma 3.3.1.1 such that 9 = 7L/6. By Lemma 3.3.1.2, there 
is a filter T oa I such that Sl/0 C Pi^/SL/.^, thus 9 € SP' K. This shows HSP K C 
SP*^ K. By Lemma 3.3.1.3, SP' K C SSPUp K = SPUp K, thus HSP K C SPUp K. 

On the other hand, SPUp K C HSP K, by Up C HP, PH C HP, SH C HS, and 
PP = P. Thus we completed the proof of Theorem 3.3.1. | 

COROLLARY 3.3.1: Asstune K has a discriminator term. Then 

(i) K is contained in some discriminator variety. 

(ii) The subdirectly irreducible members of HSP K are exactly the subdirectly irre- 
dudbles of SUp K. 

Proof: 

(ii): Let 91 be a subdirectly irreducible member of HSP K. By Theorem 3.3.1, 91 G 
SP(SUp K). Then 91 is a subdirect product of algebras from SUp K. By 
irredudbility, then 91 G SUp K. This proves (ii). 

(i): The discriminator term r which works for K also works for SUp K, since the 
discriminator property 

Vx,y, 2 ,u ((x y =» T(x,y, 2 ,u) = u] A (x = y T(x,y, 2 ,u) = x)) 

is defined by a universal formula, thus is preserved tmder SUp. Thus SUp K 
has a discriminator term. But by (ii) the dass 5tr(HSP K) of subdirectly irre- 
dudbles of HSP K is in SUp K. Then by d^nition, HSP K is a discriminator 
variety. | 











3.4. DISTINGUISHED LOGICS 


3.4. Distiaguished Logics 


In this section we give a brief summary of the logics defined so far and give some 
further ones. Let P be an arbitrary but fixed set of atomic formulas. For each of the 
logics in this section, the class of models (corresponding to P) will be a subclass of the 
following one: 


Modo {(lF,w) : IF is a set and t>: P —► ViW) is a function} . 

In all our logics we will have the Boolean logical connectives and some extra-Boolean 
logical connectives. According to a rather respectable (and useful) tradition an extra- 
Boolean connective is called a moiality i£F it distributes over disjuction. This will not 
be true for all of our connectives (Homework: check which ones). Thus, regrettably we 
sometimes ignore this useful tradition. For this tradition cf. e.g. Venema [V92] Appendix 
A (pp. 143-152). When spedfying a logic £, we will discuss only its extra-Booleans, 
since the Booleans are standard. For a logic C, Mod(£) is the class of models of C. For 
w € W, wW' (fi means that (fi is true at w. 

(1) Cs. proposHioncl logic (cf. Def.2.3). Mod(£ 5 ) =' Modo. 

(2) 55: Modal logic 55 (cf. Def.2.4). Mod(55) ^ Modo. Extra-Boolean: 0- Its 
meaning is 

w Ih 0^ (3u>' € W) w' \\- tp. 

(3) D’. Difference logic or “Some-otker-iime logic”. Mod(I7) =* Modo. Extra- 
Boolean: D. Its meaning is 

ID If" Dtp <=> (iiD* € IF N {ti>}) w' \\r p. 

(4) 0*: K-iimes logic. Here k is any fixed cardinal (may be infinite). Mod(OK) 
Modo. Extra-Boolean: 0«c Its meaning is 

*<=► (3.ff C IF)(|P| = ic & (Vid'€ J5) id'II- v>) . 

(5) Tw and On: Twice logic and n-times logic. Here Tw ^ O 2 and On ia On for 
K = n <u). 

(6) £PAIR- 

Mod(£pAiR) ^ {(^iw) € Modo :W CU xU for some set U) . 
Extra-Boolean: o (binary). Its meaning is 

{ab) \\- poij} •<=»■ 3c((ac), (c6) € IF & (oc) \\- p tc {cb) Ih . 

(7) £rel- 

Mod(£REL) ^ € Modo :W = U xU for some set U] . 
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The extra-Booleaa and its nn*!«ning is same as in £pair- 

(8) Harrow: van Benthem’s arrow logic. Mod(£ARROw) =* Mod(£pAiR)- Extra- 
Booleans: o, Id. Meaning of o is the same as in £pair- 

{{ab) IH <=» {{ha) € W and {6a) IH ^)), ({a6) If- Id <=> a — b). 

(9) ^ra: restriction of £arrow to the models of £rel- Mod(£|tA) =* Mod(£REL)- 
Ebctra-Booleans and their meanings are exactly as in £arrow- 

(10) For Cn c£. Def.2.5. But it is important to note that £„ could be defined as 

Mod(£n) ^ {{IF.v) € Mode : IV = "17 for some set U) . 

The extra-Booleans are and “t>,- = vj” for i,j < n. 

SUMMARY: 

jCs propositional logic 

55 modal logic, where the accessibility relation is TV x IV for a set IV of 

“possible worlds” 

D difference logic (or “some-other-time” logic) 

Os or Tta twice l<^c 
On n-times logic (n € u) 

Ok x-times logic (k is any cardinal) 

jCpAiR set of worlds is arbitrary TV C t7 x C7 for some 17, only extra-Boolean is o*'' 

£rel set of worlds is £7 x £7 for some £7, only extra-Boolean is o 

£^ra (logic of relation algebras) set of worlds is £7 x £7, extra-Booleans o, Id 

Harrow van Benthem’s arrow logic. Set TV of worlds is as in £pAiRt extra-Booleans 
are as in £ra« but now relativized to TV 
Cn first-order logic restricted to the first n variables (n € u;) 

£ww (usual) first-order lo^c with u many variables 

Let 

1* {£s, 55,D, Tw,0n>0Kif^PAlRff^RELif^RA,f^ARROW,I'n,I’uN.> : « € u,K € Card). 

DISTINGUISHED PROPERTIES to be checked for every £ € L: 

(The reason for looking at these properties is that they distinguish first-order like 
logics from propositional like logics.) 

dec The set of all valid formulas of £ is decidable. (Briefly: £ is decidable.) 
frnp £ has the finite model property (frnp). 

C has Ike fmp (V^ € F’c)[h=£ ^(^^ € M£)(|£Dl| < w ^)]. 

r.e. The set of all valid formulas of £ is recursively enxunerable (r.e.). (Briefly: £ is 
r.e.) 






3.4. DISTINGUISHED LOGICS 


Remark: If £ is r.e. and £ has the hnp the £ is decidable. 

fax Algi(£) is finitely axiomatizable (fax). 

Gip £ has Gddel’s incompleteness property (Gip). 

£ has Gip there is a finitely axiomatizable set T of formulas of £ such 

that every consistent extension of T is undeddable. That is, 

(39 € J’)(Vr C F )((9 € TicT is consistent) ^ ({V’ : T is undecidable)]. 
dm The distinction between set-models and dass-models counts (dm). That is: 
Assume |P| < u. (P is the set of atomic formulas of £. E.g., P is the set of 
propositional variables in cases of £5 or 55 or D; and it is the set of rdation 
symbols [similarity type] in cases of £„ or £ww.) 

We say that elm in the logic £ -4^ (3 class-modd 971) 

[Th{WK) is not a class (hence is not a set either, i.e., does not exist)], 
unm Again assume jPj < u. (3971 € Mc)[Th{'3Jt) is undeddable]. 


COMPARISON OF LOGICS IN L: (An arrow points to the place where the 
property in question becomes true “moving firom left to right”. Hence in prindple it 
should always point to a gap between two logics.) 



£3 


£ra 


C„ 

(n>3) 


£ 




] 


obvionsly 

propositional 

Figure S.i 


obviously 

first-order 
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EXERCISES 3.4.1: 

(1) Write up a detailed definition of £„ as a modal logic following the hint given in 
item (10) above. 

(2) {Important!) Show that all the logics introduced above are nice logics. It is 
espedally important to do for £„! (For it is hard, needs a reformidation 
of Cuw and done e.g. in Blok-Pigozzi [BP89]. C.f. also Simon [Si91] and 
the references therein. It is recommended not to do this exerdse for at this 
point.) 

(3) Check which daims represented on Figure 3.2 were proved in the text. TVy to 
prove the missing ones. -4 
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AaanuCT. ThUpapariwwaBtiabrirfTreyofwlMinnritrtraaMidthecalntimofrriMioBi, 
followed tqr two OTompho (hair nae m coB^ntar adanoa: conatnim aatirfaction problama 
for leUtka alcabraa aad a raUtional modd for Dljkatn’a aiiomatie oamantica for coaniNitar 
pcofraBia(oaataradaiitlMpradieatatnBdDnaatscaUad “weafcoat precondition* and ‘Soeakaat 
Ubaial pnoonditian*). The fonnar topic U iHnatrated by the ‘interval alfebca”, a relation 
alfefara which anae front AUan’a wor k on temporal leaennhn, and by ‘ooenpaaa alfebraa”, 
which are de eit n a d for eimiUr re ae niihu abootipaee. It will be ihoent here that the conatraint 
fentilmi i« WP -ee—pIe te few all coopaea and interval alfebraa. 


1. The calculus of relations and relation algebras 

Componitioa of binary rdations was introduced to logic by Augustus De Morgan [34], [35] 
(see [36], pp. 55-57, 208, 221, etc.). De Mwgan observed that the syllogism “every A is a B, 
every B is a C, so every A is a C" remains valid if the copula “is” is replaced by any transitive 
rdation L. De Mmgan vrent further, noting that if LM is the composition of the rdation L with 
the relation M, that is, A is an LM of B just in case AisanLofanMofB, then the following 
syllogism is valid: “if every A is an L of a B, and every B isan M ofa C, then every A is an LM 
of a C.” De Morgan [35] (see [36], p. 222) denoted the converse of the relation L by L~^ and its 
contrary by not-L, and observed that these operations commute: the converse of the cemtrary of 
L is the contrary of the converse of L. Starting with [37], Charles Sanders Peirce created alg^ra 
from De Morgan’s logic of rdations, fc^owing the model of George Boole [7], [6], who created 
algebra from the logic of classes, “and after many attempts produced a good geueral algebra of 
logic, together with another algebra specially adapted to dyadic relations (Sfsdies m Logic, by 
members of the Johns Hopkins University, 1883, Note B, 187-203). Schroder devdoped the last 
in a systematic manner” in [42] (quotation frmn [32]). F. W. K. Ernst Schroder’s investigation 
of the calculus laid out by Peiroe [39] in 17 pages extended to 649. His bodi remains today 
the only exhaustive treatise on the cdculns of rdations. Fm additional survey and historical 
material on relation algebras see [8], [12], [16], [17], [18], [26], [27], [28], [29], [30], [44], and [4^. 

Consider an arbitrary set, called Uie “Averse of discourse” or simply the “universe”. The 
universe could, depending on the situation and purposes, contain all possible mathematical 
objects, or all states of a machine, or all real numbers, or just a finite set of letters. The 
fundamental <^>erations of the calculus of rdatkuis are natural let-theoretical operations on 
Innary relations over the universe. In addition to the Boolean operations of union, intersection, 
and complementation, there are the “rdative” (as Peirce calls them), or “Peircean” (as 'Ihrski 
mlh them) (qierstions, namely the binary (^>eration of “relative addition” (Peirce’s name), the 
binary operatkm of “rdat've multiplication” (Peirce’s name) ot “cmnpontion” (De Mewgan’s 
name) and the unary toleration of conversion. There are also four distinguished rdations, namely 

Ktt wef4* (si pkruu. nlation als^na, mtoval alfditas, mmp aw alfebraa, constraint aatialaction prob- 
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the univenai relation, the empty relation, the identity relation, and the diversity relation. The 
definitions of these operations and dutinguished relations are listed below. In these definitions, 
z and y are arbitrary binary relations on the universe. By a Unarf relation we simply mean a 
set of ordered pairs. The ordered pair whose first elonent is p and whose second element is f is 
denoted {p,q)- 


anion of x and y 
intersecfion of z and y 
complement of z 
relative turn of z and y 
rdative proJnct of z and 
converse of z 
nnioeraal relation 
emptp relation 
identify relation 
dieersify refsfion 


* + V={<P,9>:(p.«>€zor {p,g>ey} 

* •» = {{P.«): {P.fl> € z and (p, g) 6 y) 

^ = {(Pi4) = P>9 ate in the universe, but (p,g) ( x} 

*ty = {{p,r) : for every g in the universe, {p,g) € z or (g, r) € y} 
y z;y = {{p,r): for some g, (p,g) € z and {g,r> € y} 

* = {(«.P): (P.4) € x} 

1 = {{p,g) : p,g are in the universe} 

0 = 1 

1’ = {(p.p): p is in the universe} 

O’ = {(p.g): P,9 are in the universe, p ^ g} 


We are using nineteenth century notations. Both De Morgan and Peirce denoted the compo¬ 
sition of X and y simply by “xy”, but Schroder [42] used “xiy”, as is done here. The notation 
“zly” was used by Whitehead and Russell [53] and adopted by Tarski and his school [11). Pwce 
introduced the notation “£” for the converse of x. Schroder introduced “I’” and “O’” for the 
identity and divoaity rriations. Here ace some laws in the calculus of relations. These laws hold 
fix every possible universe, and all possible binary rdations x, y, and x. 

(i) (x + y) + r = x + (y + *) 

(ii) x-f- y = y -fX _ 

(iii) x = x + y + x + y 

(iv) x ysfTf 

(v) l = x + I 

(vi) 0 = T 

(vu) x;(y;z) = (x;y);r 
(viii) x;l’ = x 

(ix) {x + y);z = x;z + y,z 

(x) £ = X 

(xi) (x + y)r =£-f-y 

(xii) (x;y)r 

(xiii) £;yT^+y = y 

(xiv) 0’ = r_ 

(xv) xty = z;y 

A relation algebra is an algebra of the form 

which satisfies the identities (i)-(xv) listed above. The first six identities say that 0,1) 

is a Bocdean algebra (called the Boolean part or Boolean redact of S). One of the most si^iificant 
laws of the calculus of rdations is De Morgan’s ‘Theorem K” (see [36, pp. 186-7, 224] or [30, 
p. 434-5]), which asserts that the fcdlowing statements are equivalent: 

*:»<* T;y<* 
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After minor Boolean transformations Theorem K becomes the cfcU Uv, that the following 
statements are equivalent: 

x;yz = 0 *;z-y = 0 z;v* = 0 

The cycle law and De Morgan’s Theorem K htrfd in every relation algebra because they can be 
proved from a xiom s (i)-(zv). There are many other equivalent axiomatisations for relation alge¬ 
bras. fbr example, equations (ix) (xiii) can be replaced with the cycle law or with Theorem K. 

The algebra containing all binary relations on the universe U is denoted 9U(f/). Identities (i)- 
(xv) hcdd in !Rc(f^), so 9U(f/) is a relation algebra. Relation algebras are de^^ by equations, 
so it follows that subalgebras, homomorphic images, and direct products of relation alg^ras are 
again rdation algd>ras. The algebras that can be obtained from algebras of the form by 
forming subalgd>raa, homomorphic images, and direct products are called repruenUHe relation 
algebras. Roger Lyndon [22] showed that not all relation algebras are representable. It follows 
that the axioms (i}-(xv) are incomplete, in the sense that there are equations which hold in every 
algebra of the form but canitot be dmved from (i)-{xv). J. Donald Monk [33] proved 

that the equations whi^ hold in every algebra of the form !)'U(f^) cannot be derived from any 
finite set of equations. 

For a relation algebra 91, let AtH be the set of atoms of (the Boolean reduct of) 91. (An 
element x of 91 is an slom if x 0 and, for evwy y in 91, either xy = xorxy = 0.) Ifx 
is an atom of 91, then so is 2. The relation algebra 91 is said to be atomic if its Boolean reduct 
is atomic, that is, for every element y of 91, if y ^ 0 that there is some atom x of 91 such that 
X < y. Similarly, 91 is said to be complete its Bo(rfean part is complete, that is, every subset 
X of 91 has a least upper bound and greatest lower bound turns out that if 91 is 

both crxnplete and atomic, then the structure of 91 is entirely determined by its atoms and the 
action of the rdative operations on the atoms. Fm a precise statement of this fisct, define the 
atom atnetare of 91 to be 91191 = (Alfil, C,”,/), where 

C = {(a,k,c): a,6,c€ At91 and a;k > c} and 7 = {a: a € A191 and a < 1’}. 

For any atoms a, b, c of 91, let 

[o, 6, c] = { (o, b, c), (d, C, b ), {b, e, a), {i, a, 0, (2, o, , (c, J, o)}. 

By the cycle law, C is a union of sets of the form [a, 6, c]. We refer to such sets as cycles. Then 
the identity dement, the converse of x, and the rdative product of x and y can be computed 
from the atom structure according to 

1’=J:/ i = j:{a:x>06Al91} 
x;y = ^{c : fw some a, k € i4191, * > a, y > k,{o,k,c)€C7} 


Hence to specify a complete atmnic rdation algebra it suffices to list its atoms, to list those atoms 
which are in 7, to indicate which atoms are converses of which other atoms, and, finally, to fist 
the cycles [a,k,c]. This is especially convenient when 91 is finite. We present several examples 
of rdation algebras using this method. 














2. Interval algebras . • 

To define the interval algd>ra lA [1], [2], take the universe U to be the set of all “events”, 
where an event is simply a pair of real numbers, the second of which is larger than the first. 

The first number in an event is its ‘^starting time”, the second its “ending time”. (Our modd 
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for time here is just the real numbers.) Seven binary relations on events are ddined in the list 
below, where x, r', y, y' are real numbers and {x ,«'), {y, y*} are events. 


identity: 

precedes: 

during: 

overlaps: 


finishes: 


r = {{{*,*'},(y.i/)) :x=:y<x' = y'} 
p = {{{*.*').(y.p')) :*<*'< y < 
d = {{{*,*') . {y,y'» : y < X < r' < i/} 
o = {({x.x'), <y,y')); X < y < x' < y'} 
m = {{{x.x'). {y.^)): X < x' = y < y'} 

• = {{{*.*'). {y.y')): * = y < *' < j/} 

/ = {{{*.*'). {y.y')>: y < X < x' = j/} 


Tile seven relations listed above are studied in {50] and ate used in some computer programs [5], 
[31], [43]. These relations generate a finite subal^ra of 9U(tf), called the intervl tJfehx, or 
simply the lA. The lA has 13 atoms, namdy 1’, p, p, d, i, o, S, m, th, s, I, /, and f. (It turns 
out that p alone will generate the lA, and so will ea^ oS the elements p, m, ifi, o, and 6 [21], 
[20, Theorem 4.4].) If we start with the rational numbers of the reals, or, in fact, any 

dense linear ordering without endpoints, then the resulting algebra is isomorphic to the lA. But 
if we use some other infinite linear ordoing, then the relation algebra generated by 1’, p, d, o, 
m, s, and / may not be finite, and the relations listed above may no longer be atoms. This 
happens, for example, when we use the integers. If we start with a finite linear ordering on U, 
then the subalgebra generated by 1’, p, d, o, m, s, and / will be !Rc(ff). Any relation algebra 
obtained in this way will be called sa interval alg^ra (while the lA is the one obtained from the 
teals or rationals). The lA has 75 cycles: [1*. 1*. 1*], [1’, s,s], [1’, m, m], [1’,p,p], [I*, o,o], [1’, /, f], 
[I’.d.d], [s.r.s], [s,s,s], (s,m,p], [s.p.pj, [s.o.m], [s.o.p], [s.o.o], [s,/,d|, [•,d,di, Kl’.mj, 
[m.s.m], [m,m,p], [m,p,p], (m,o,p], (m,/,s], [m,/,o], [m,/,d|, [m.d.s], [m.d.o], [m.d.d], 

[p,r,p]> b.'.pJ. b.p.pj. b.o.p]. b./.»). b./.m], b./.pl. b./.»l. b./.<fl. b.**.*l. 

b.<^.»»»]. b.<^.pl. b.**.®]. b.<^i<fl. b.i’.o], b,»»»,p], [o.p.p], b,o,m], b.o.pj, b.o.o], 

[«•/.*]. [o,f,o], b./.d], b.d.s], [o,d,o], [o,d,di, l/,s,(fl, [/,m,m], [f,p,p], [f,o,$] 

If.o.o], lf,o,d\, [/.d.d], [d,l’,«q, [d,$,d\, [d,m,p], (d,p,pj, [d.o.s], [d,o,m], [d,o,pl, 

[d, o, o], [d, o, dj, [d, /, d], [d, d, d). Although all rdative products in the lA can be compuW from 
the cycles, it is convenient to also have the products listed in a table. The table of relative 
products of atoms of the LA is given in two parts (see Figs. 1 and 2). To save q>ace the + signs 
are omitted, so, for example, pdomt = p+ d+ o + ni-fs. The table appear^ first in [2]. It 
not only shows rdative products of atonu in the lA, but also ahows containments for the Alleit- 
Hayes algebra [3], [4]. By the AUen-Htpes xlfttn we mean the direct product of “all” interval 
algebras, i.e., the direct product of an indexed qrstem of algebras containing one algebra fiom 
each isomorphism type of interval algebras. The Allen-Hayes algdi>ra contains the elements 1’, 
p, p, d, i, o, d, m, rh, s, 1, /, and /. They form a partition, i.e., thQ' are pairwise disjoint and 
l = p + jl+d + d+o+d + m + dfi + s + i + / + /- Finally, the relieve product of any two of 
them is contained in (and not necessarily equal to) the corresponding entry in the table. 

3. Compass algebras 

Let the universe be the set of all points in the n-dimensional Euclidean space R", where R is 
the set of real numbers. Let R'*' be the set of pontive real numbeis. For every vector v in R" 
define two binary relations on R" as follows: 

D, = {{x, 3 r): X,y € R" and for some r in R"*", x + rv = y}, 

Et = {{x,y): X,y € R" and for some r in R, x + rv = y}. 

Hete ate some easily proved properties of these relations. 

Thnoceaii 1. (i) A> = ^ = 1’ = {(x.x): x € R” }, 
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Figure 1. The intervsl alEebra ptodncU, fint part. 



m 

A 


1 

f 

/ 1 

V 

m 

ih 

9 

i 

f 

/ 

p 

p 

pdomt 

p 

p 

pdomt 

P 

p 

pd^f 

P 

pdSthf 

p 

P 

P 

d 

P 

P 

d 

Pddrhf 

d 

pdomt 

i 

iof 

iSi 

iof 

i 

idi 

i 

0 

P 

i8i 

0 

iof 

dot 

pom 

8 

iof 

P 

ddf 

pdih 

d 

idi 

m 

p 

17/ 

m 

m 

dot 

p 

th 

Vti 

P 

ddf 

p 

ih 

ih 

$ 

P 

ih 

9 

Vti 

d 

pom 

8 

iof 

ih 

Vti 

i 

d 

i 

f 

m 

P 

d 

JCXJKa 

pOwn 

f 

17/ 

f 

m 

iia 

0 

i 

17/ 

/ 


Figure 2. The interval algri>ra products, sec(»d part. 
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(ii) 6* = />_» = { (x,y) ; for mxne r in R*. x - rv = y }, 

(Ui) D»;I>v = Dy. 

(iv) Dy = Dry *nd Ey = Ery wbenew r € 

(v) Ey ~ iy — Ey\Ey = Dy',6y — Dy ,Dy — Dy + Dy + Dq i 

(vi) Ey ia »a equivaience rciatioo oo R", 

(vii) Dy \Dm - Dy, -,Dy ^ {{x, y); for some r,tin R"*", x + nr + aw = y}, 

(viii) Ey-,Ey, = Ey,\Ey = {(x.y) : ibr aome r,• in R,X-f nr + nr = y}, 

(ix) (x,y) € Ey iffy — x is in Um mibapnee apnnned by v, 

(x) {x,y} e Ey\Ew iffy -x is in the subspace spanned by v and w, 

(xi) {x.y) € Ey,,...-,Ey^ iffy-x is in the subspaee spanned by vo,...,v*,. 

For any m vectors vi, € R", let .... Vm] be the sttbaljd>rs of D'^R") generated 

by the rdatioaB Dy^,Dy^. Cn[vi,..., Vm] is called the n>dtmeiutoas/ comysM alfehra de- 
iermiatd by vq, .. ■, Ym- If y and w are a linearly dependent pair of nonaero vectors, then either 
Dy = Dw or Dy = by,- IfY and w both appear in a list of vectors generating a cMnpaas algebra, 
then Y can be deleted from the list, and the same compass algebra will still be obtained from the 
remaining vectors. Even if the vectors are pairwise linearly independent, deleting one of them 
may not result in a strictly smaller compass algebra. The atructure of Cn[vt,.. .,y„] depends 
heavily on the choice of vectors. But if vj,..., Vm is a linear independent set of vectors, then 
the atructure of Cii(yi ,..., Ym] is cmnpletely determined by m. Mote exactly, if yi ,..., Ym and 

Yj.Y^ ate two linearly independent sets of vectors in R* (hence m < n), then Cn[vi,.. - .Ym] 

is isomorphic to Cn[Y(,..., y^]. 

4. Examples of compass algebras 

The l-dimenaional compass algebra Ct[(l)] generated by the 1-dimensional vector (1) has 
three atoms, namely D(_i), and D{oj- Ci({l)] isicnown as the “P<^t Algd>ra” [19], [21], 
[20], [47], [48], [49], [51], [52]. F<* a description of the structure of ti[{l)] in terms of atoms and 
cycles, let 1’ = D(o), o = D(i), and i = Then the cycles of R are [I’,!’,!’], [r,a,a], 

[a, r, u], and [a, a, aj. The table of rdative products of atcxns is 



Tad 

r 

1’ a d 

a 

a a 1 

s 

d 1 a 


Every l-dimensionalvectmin l-^>ace must determine one of the relations D(i), Z7(_i),or f7{o), 
so no new l-dimenaional compass algebras ate obtained by considering two or mote vectors in 1- 
Himmuinnal space. However, there w one other 1-dimensional compass algebra, namdy Ci[(0)]. 
This algebra has two atoms, namely Z7{o) = T and Z>(i) = O’. The cycles of SI are 

[r,r,r], [r.O’.O’], and [O’.O’.O’], and the table of relative producto of atmnsis 



T O’ 

1’ 

T O’ 

O’ 

O’ 1 


By comparing this and the previous table it can be seen that Ci [(0)] is isommphic to a subalgebra 
of fft[<l)]. tl>« <Mie with atoms 1’ and a4-5. Also, Ct[(0)] is isomorphic to Cn[{0)] for every iideger 
n. 

Now we consider 2-dimenaionsl compass algebras. Among these ate particular algebras which 
in^tired the name “compass algebra”. We start with the compass alg^ra C2[{1,0}, (0,1}]- We 
would get wM same algebra with any two linearly independent vectora in R’, but these two allow 
us to dub £( 1 , 0 ) the “east-west” direction, while E(o,i} is the “north-south” direction. Thus 
Cj[{0,l>,(1,0)1 “ • “2-<lirectional” alg^raof rdations. “East”, “west", “north”, and “south” 
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Fioure 3. ProditcU tot 0), (0,1}] 

•re tlie reUtiona D(_i,o), I>{o,t}> eod D(o,-i), respectively. In tlte standard Euclidean 

plane analytic geometry, the points “essf* of the origin are all the points on the positive 
part of the c-axia, and so on. C 2 [(l, 0), (0,1)] has nine atoms, namely b(D,o). f^(i,o)i ^<-i,o)i 
Ao.i>> O{o.i>:^(i,o)i jD(o,i) :^{-i,o}t O(o,_i);l>{i,o>, and I>(o,_i);D(o,_i). The lart four 

atoms could called ‘iiortheasterly”. ‘^rarthwesterly”, “^theasterly”, and “^thwesterly*, 
respectively, since they do not cotteapond exactly with directions of the compass. The points 
in the Euclidean plane which can be reached by going northeasterly from the origin are exactly 
those in the first quadrant. Let 


r = Z)(o,o) = identity 


« = 0{i.i>) = 

k = a;c = e:a = northeasterly 

d = A-t.o> = 

i = d;d = d;d = sottthwestcriy 

c = i)(o,i) = north 

d = d;e = e;d s northwesterly 

d = 11 ( 0 ,- 1 ) = south 

i = d;a = a;d = southeasterly 


Then the 33 cycles of 2. are [1’, 1’, 1’). [1’.a, si, {s, r, s], (!>, k. k], [k, V, k], [1’, c, c], [c, 1’. c], [r, d, d), 
(d. r. dl, [a, o, o], [a, k. k], [a, c, k], [a, d, k], [o. d. c], {o, d, d), [k, a, k], [k, k, k], [k, c. k], [k, d, k], [k, d, c], 
[k,d,d], [c,a,k], [c.k.k], ic,c,c], (c,d,4> [d,a,k], [d.s.c], [d,a,d], [d,k,k], [d,k,c], [d,k,44, [d,c,d|, 
[d, d, d[. The rdative pr^ucts atoms are given in Fig. 3. 

The compass algebra Ci[(l,0),{l,l},{0,l)] has 13 atoms, namely 1’, s, k, c, d, e, /, &, i, 
I, i, I, and /, where 1’ = I>(o,p), s = k = ^ = 0{i,i>:Ao.i)> 

e = D(o,i) . and / = Z7(o,t) • There are 89 ^cles, each having the form [x, y, z] with z, y, x 

in {r,a,k,e,d,e,/}. The cycles are not listed, but they can be read from the table of relative 
products in Fig. 4. Setz = z + 2fbr every z in C3[{1,0),(1,1),(0,1)]. Then T + o = £(i,o>, 
1' +e = r+e = and 1’, d, k, e, d, 6, and / are the atoms of a subalgebra called 

the "symniikric snbalg^ra” of Ca^l, 0), (1,1), <0, l)j. The table of ptoducU fot this subalgebra 
» . - ... 



a I's hedif hdij b^f hedf bedif 

k ke&/ 1 dkde/ okcde/ dkcd/ dicdif 

e iief aide/ I’c dkde/ dkd/ dkde/ 

d kcde/ dkede/ side/ 1 died/ dkede/ 

e hedf iiedf did/ diol/ I’e died/ 

/ hedif ahedif dide/ diede/ died/ 1 
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Figure 4. PioducU for Cj((l, 0), (1,1), {0,1)] 

Next we consider the 2-diinensioaal compass algebra Ca[(l, 0), (1,1), (0,1), (-1,1)]. Besides 
the directions “east-west” and “north-aonth” £(o,i)> this algebra has diiMtions ‘^Mtheast- 
aouthwest” and “southeast-northwest” £(-i,i}. There are 17 atoms, namely D^ofi) and 

16 others, which are listed counterclockwise, starting at the c-azis: D{i,o), 

The 2-dimensional cwnpas s algebra Ca[(l,0)] hiw j ust four atoms, namely I>(o,o), 

ood F = (11* X R*) • 77(0,0) + ^(i,o} A-J.®)• F is a symmetric relation, 

i.e., F= F, unlike X>(i,o) or 77(_i,o). The points of the plane which are in the relation F to the 
origin are all those wUch lie in the upper half {dan e or lower h alf plane (t.c., not on the r-axis). 
Let 1’ = 77(0,0), n = 77(i,o), & = 77(-i,o), and k = 1’ S. Then the cycles of C}[(1,0}] are 
(r,r, 1’], [l’,a,o], (a,r,o], (l’,k,k], [o,o,oJ, [a,k,k],[k,k,k], and the tdaUve ptoducto of atoms 
are: 
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Hiis algebra illustrates a gmeral phenomenon. If € R” are pairwise linearly inde¬ 
pendent but do not span R", then will have only one atom fm the subspace 

orthogonal to the subqxace spanned by ti, ... ,t„. Notice that this situation must arise when¬ 
ever the number of directions is less than the number of dimensions, i.e., whenever tn < n. 

Now we consider S-dimenaicmal compass alg^ras. Let u = (1,0,0), y = (0,1,0), w = (1,1,0), 
X = (—1,1,0) and j = (0,0,1). The 3-dimenaioaal conqxass aljgd>ra generated by a single vector 
in {u,T,w,x,]r}hM4atoms. The algebra generated by uy two vectors in {u,v,w,x,y} has 10 
atoms. Note thtt tt,y, w,x all lie in the same 2-diniemional subspace. Hence any three vectors 
in {u,y,w,x} generate a 3-dimensional compass algebra with 14 atoms, while Cs[u, v, w,x] has 
18 atoms. Tlw vector y and any two vectors in {u,t,w,x} form a linearly independent s^, and 
generate a compass algebra with 27 atoms. The vector y and any three vectors in {u,v,w,x} 
generate a compass alg^ra with 39 atoms. Finally, Cslu.y, w,x,y] has 51 atoms. 

Not every compass algdxra determined by a finite set of vecUxs is finite. Let s = (1,1,1). 
Then es(u,y,y,»] = Cs[{l,0,0).(0,1,0),(0,0,1), (1,1,1)] is infinite. To see this, let Xo = £., 
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# 


Vo “ ^vi Zo — ^y, Mid, for every integer n, — Xn 'tE% • Yn i^n» Yii+i — ■ Xn \Znt 

end Zn-^\ — Zn,E* -Xn\Yn- Then Xn,Yn, nnd Zn are ail distinct equivalence relations for every 
n. In particular, 


Xo = £'{1,0,0) 
Xi = £(0,1,1) 
Xj = £(j,i,i) 
Xs = £{3,3,S) 
= £(0,5,5) 


Vo = £( 0 , 1 , 0 ) 
Vi = £(1,0,1) 

Vj = £(14.1) 
Vs = £{S,34) 

Vo = £(5,0,5) 


Zo = £(0.0,1) 

£i = £(1,1.0) 

Zj = £(1,1,1) 
Zi = £{s,s,j) 

Zo = £(5,5,0) 



5. Some NP-complete constraott satisfubujty problems 

Let th be a relation algebra. An !&-ma<riac is a matrix of elements of Ql. Suppose M is an 
n-by-n 91-matrtx. We say M is xeroltst if no entry in Af is 0, and M is clotti if Mu < 1', 
(Afij)' = Mji, and Mij -.Mjk < Mu, whenever 1 < t.j.h < n. If is another n-by-n matrix, we 
say iV is a reduction of M, in symbols, Af < Af, if My < Mij whenever 1 < «,i < n. If X is a 
set of elements of SI, we say M is bounded Ay X if every entry of M in included in some element 
ofX. 

A Amsry cons<ratn< mslrtc is a matrixes binary relations. An n-by-n binary constraint matrix 
M determines an n-ary rdation Ji(M) = {{pi,---,Pm) : (Pi>Pi) € Af.y whenever 1 < i,J < n). 
The matrix M specifies a Atnsry csnsfrsint yroilem. The oolutiono to this problem are the n- 
tuples in i{(A/), and the problem is soiesMeifit has a solution. Let II be the set of elements that 
appear in any pair in any relation in M. Each n-tupie (pi,... ,Pm) of demenU of 1/ corresponds 
naturally to an n-by-n matrix Al of atomsof9U(II), where Mi = {(Pi.Pi)} whenever 1 < i,j < n. 
Note that (pi ,... ,pn) is a solution to Af if and o^ if its corresponding matrix Al is a reduction 
of Af. Furthomore, as a binary constraint problem, M has a solution just in case there is a 
closed serolesB reduction of M bounded by tk set of atoms of !)tc(II). 

This last observation permits us to generalise the concept of constraint satisfaction to arbitrary 
atomic relation alg^ras. Let 91 be an atomic rdation algebra and let Af be an 91-matrix. We 
say that M in proto-oohnUe over 91 if th«re is a closed seroless reduction of M which is bounded 
by the set of atoms of 91. Note that if AT is a closed serolcas 91-matrix bounded by the atoms 
of 91, then all the entries in ff must actually be atoms of 91. Such a matrix, whose entries are 
all atoms of 9L is called stomte. So the 91-matrix M is (noto-solvable if it has a closed atomic 
reduction AT. Such an AT is called a proto-sa/afis*. The cowstrstsf sniisfiuHlity problem for an 
atomic rdation algetsa 91 is this; given an 9Lmatrix, determine whether it has a proto-sedution. 

For an 9U(II)-matrix Af, the solutions and proto^olutions (over !Kc(II)) ate in a one-to-one 
correspondence, as observed above. But for matoices > sr atomic subalgebras of 9tc(I/), such 
a correspondence may not exist. Indeed, it is easy to find a set (/, a finite subalgebra 91 of 
9U({|), and an 91-matrix Af such that Af has a proto-solutkm but no solution. For example, let 
U — {1,2,3}, let 91 be the subalgebra 9U(II) with atoms 1’ and 0’ (91 is isomorphic to Ci[(0}]), 

( 1’ O’ O’ O’ \ 

Af tl O’ O' I 

“ 0’ 1’ O’ r M inn proto^ution of itself, but it has no solution, 

O’ O’ O’ 1’ / 

since any solution of Af must be a quadruple {pi,P 3 ,ps>P 4 } 'nth distinct entries, but there are 
only three etements in II. On the other hand, Af can be considered as a Ci[(0}]'matrix, in which 
case it does have solutions, namdy all quadruples of distinct real numbers. 

We have seen t)iiit proto-solutions can exist whmt solutions do not. It is also possible for 
solutions to exist when proto-solutions do not: an infinite atomic subalgebra 91 of 9U(II), where 
II is a countable infinite- set, and an 91-matrix Af with a solution but no proto-solution ovw 91. 
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Examples of this are more difficult to construct, but can be found in [22] and [25j. For such an 
example, hosreva, it is necessary that 91 be infinite [20, Theorem 5.7). 

Fm the lA, the situation is quite nice. An lA-matrix has a solution if and only if it has a 
proto-solution [21], [20], and this is true for all isomorphic copies of the lA which are embedded in 
algebras where U is not necessarily the set of events baaed on real numbers. Constraint 

satisfiability for the lA is NP-complete. A sketch of a proof of this was given in [51]. The 
idea of that proof is to reduce the 5-clause satisfiability problem (for propositional calculus) to 
constraint satisfiability for the lA. (Additional details for that proof are given in [52].) Another 
proof is sketched in [48], where graph-colorability is reduced to constraint satisfiability for the 
lA. Both of these proo& deal with solutions, not proto-aolutions, but, in view of the remarks 
made above, this makes no difference to the LA. 

The NP-cmnpleteness of the constraint satisfiability problon for the lA follows from Theo¬ 
rem 2 below. This theorem is not restricted to the lA and indeed applies some compass algebras. 
It also i 4 >plies to infinite algebras, such as the Allen-Hayes algebra, and to nonrepresentable al¬ 
gebras. 

Theorem 2. Assume 91 is a relation algebra with elements x, y, z ^ 0, such that 

(i) r, X, 2, y, y, z, 2 are pairwise diyoiat, 

(ii) z zjy = 0, 

(iu) y x;y = 0, 

(iv) x x;y = 0, 

(v) z x;z = 0, 

(vi) y • y;z = 0, 

(vii) x z;x = 0, 

(viii) z < x;y, x < z;y, y < i;z, 

(ix) 1’ < x;2 ■ 2;x • y;y ■ y;y • z;2 • 2:z. 

Then foUowiagproblem is NP-ctmplete: (R) Determine whether nmntrixM over 91 has a closed 
seroiess reduction bounded by {V, x, 2, y, jf, z, 2}. 

Proo/. It suffices to show that Graph 3-C(4orability [10] is reducible to (R). Let G = (V,E} be 
a graph (i.e., £ is a symmetric binary relation on V that is disjoint bom the identity relation on 
K). We may assume without loss of generality that the set V of vertices of G is {4,..., jV] -f 3}, 
where jV] is the cardinality of V. Let n = |1^| -I- 3. Let hf be the it-by-n 91-matrix determined 
by the following stipulations: 

(i) Mii = r for 1 < i < n, 

(ii) fifij = X, Afji = X, Mjs = y, Afsj = y, Afu = z, Afsi = z, 

(iii) Mil = l’+x-l-2. Mu = I’-l-x-l-z, A/n = T-l-x-l-y, Afjj = I’-fh-l-y, Ma = l’+P + *. 
and A# 3 i = V +y+i whenever i € K (i.e., 4 < i < n), 

(iv) Mij = Mji = x-^2-^y-fy + z-^2 whenever i,j 6 V and (i, j) € E, 

(v) in all other cases, Mij = 1. 

We will show that there is a natural one-to-one correspondence between 3-colorings of the graph 
G and closed seroiess reductions of M which are bounded by {T, x, 2, y, y, z, z}. It follows that 
M has a closed leroleas reduction bounded by {l’,x,2,y,y,z,2} just in case the graph G u 
3-colorable. 

Suppose that W is a closed zeroleas reduction of M which is bounded by {r,x,2,y,y,z,2}. 
We will show that N determines a 3-coloring y : K -► {1,2,3} of G. First, since T, x, 2, y, y, z, z 
are pairwise di^oint, N is seroiess, and N is bounded by {T, x, 2, y, y, z, 2}, we concluded that 
if 1 < (>i < "i exactly one of the fbilowing seven statements hdds: Nij < 1’, Nij < x, 
Nij < 2, Nij < y, Nij < jf, Nij < z, Nij < 2. Now we lo<di at the possible values of Nn, Na, 
and Ni 3 for an arbitrary i € V, i.e., for 4 < f < n. Since N < M, we have 

Ni3 < ». N33< y, Ni3 < Z, 

Wii<r+* + i, Nn<l’+* + y. Wi3<l’-fy + z. 
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If Nil < I’> then 

Nij < Nil iNii < r ;x = X, 

Na < Nii fNti < I’i* = X- 

Similnrly, if Nn < 1 ', then 

Nil < Na.Nn <V;i = i, 

Na < Na;N3i < r:v = y. 

Finally, if Na < 1’, then 

Nii<NaiN,i<Vii = i, 

Na<Na;Naa<V-,i = y. 

nom theee obeervationa it foUowa that Na < 1 * for at moat one h € {1 2 , 3}. lb ahoer Na < 1’ 
for at leaat one h € {1,2,3}, we aaaume Nn <i + £, Na < > + V> and Na < y + x, and derive 
a contradiction. Theie are two caaea. Firat, if Na < y, then 

Nil <(* + !)• Na.Nsi < (i + i) • y;f < *, 

Na<(T-t-y) Na;Ns3 <(* + »)■ y;v<y 
by (ii) and (iii), leapectively. FVom theae laat two equationa we get 

Na<PNii;Nu<yi;x = 0 

by (iv), contradicting the aaanmption that N ia aetokaa. Second, if Na < x, then 

Nit < (* + J) • Na;N,i <(* + !)• x;f < J, 

Na < (* + W • NaiNn < (x + f) • x;J < x 
by (v) and (vi), reapectively. Fbom theae laat two eqnationB we get 

Na<zNii;Nii<xi-,x = 0 

by (vu)t again contradicting the aaanmption that N i* aexoleaa. Thia eThaiiate the poaaibilitiea. 
Thua we have Na < 1’ for exactly one k € {1,2,3}. Thia allowa ua to define 7 : V -» {1,2,3} 
by 7 ( 1 ) = i iff Na < 1’, for every t € V. Now if {i,j) € E, then we miiat have 7 ( 1 ) y{J), for 

if 7 ( 1 ) = lij) = k, then we have Na < 1 ’ and N^ < 1 ’, from which we obtain 

X + i + y + y + X + f = < ATin< 1>;!’ = r, 

contradicting (i). Thna 7 ia a 3<oloring of G. 

For the other direction, if we have a 3-coloring y :V —* {1,2,3} of G, we can get a cloaed 
aeroleaa reduction N < M which ia bounded by {r,x,i,y,y,x,S} aa ibllowa. Set Na — x, 
N 21 = £, Nn = y, Nst = if, Na = x, Nai = I, and Na = 1’ whenever 1 < t < n. Fk all 
i,i € V, and every * € {1,2,3}, aet Na = Nu = N^y^i), and Nj, = N^iy^y It fdlowa 

from (viii) and (ix) that thia d^nition given a doaed aeroleaa matrix N. Obvioudy, N ia bounded 
by {V,x,i,y,i,x,i}. The fact that 7 ia a 3-coloring of G ia naed to ahow that N <M. □ 

CocoUaxy 3. (i) Coostraint XMtixSabUitr for Gi[(l, 0} , (1,1), (0, 1)] ia NP-compkte. The 

name is true for the symmetric xabMlgebn of G 3 {( 1 ,0}, ( 1 , 1 ), (0, 1 )]. 

(ii) Constraint xxtixSabUitjr for the the IA is NP-eompkte. The same is true foe the Allen- 
Hayee alg^rx. 

Proof, (i): Use 11>earem 2 with x = d, y = c, and x = e. 

(ii): Use HMMem 2 with x = m,y^ f, and x = s. □ 

Thecwem 2 M>pliea to a 3Miixectional compass algebra. For 2-directional compass algebras we 
need another theorem. 
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Thfloram 4. Let 3 be « rel»tioa »lgebn «ntb atxuero demeats x, y, z sucb tb*t 

(i) r, c, 2, y, y, z, i are pairwise di^oiat, 

(ii) y »;* = 0, 

(iii) y *:y = 0, 

(iv) y • y;x = 0, 

(v) y • y;z = 0, 

(vi) y z;y = 0, 

(vii) y z;z = 0, 

(viii) * • x;x = 0, 

(ix) * x;z = 0, 

(x) X < x;x, X < x;i, x < I;x, 

(xi) y < y.y, y < y;y. y < y;y, 

(xii) y < x;z, x < y;}, z < 2;y, 

(xiii) y < z;x, z < y.i, x < f ;y, 

(xiv) z < z;y, z < z;y, y < z;z, 

(xv) z<y;z, y<z;i, z<y:z, 

(xvi) a < z;x, z < z;i, x < i;z, 

(xvii) z < x:z, X < z;z, z < i;z, 

(xviii) 1’ < x;i • *;x ■ y;j> • y;y • z;i ■ S;z. 

Tbea tbe foUowiag problem is NP-oomplete: (R) Oetennine wbetber a oetwori AT over 3 with 
labels in {y,x + y -t- z, z -f 2} bas a closed xerolexa reduction bounded by {l’,x,i, y, y, z, z}. 

As in the previous proof, we show that Graph 3-Colorability [10] is reducible to (R). Let 
G = (V, £) be a graph with vertex set V = {3,..., |V|+2}, Let n = | Vl+2. Let M be the n-by-n 
3-matrix determined by the following stip^ations: Mu = y, Mxi — if, Mu = Mu = x -f y -f z 
for every t € V, Mij = z + i whenever i,j € V and (i, j) € E, The 3-colorings «rf G correspond 
to closed seroleas eductions of M which are bounded by {!’, x, i, y, p, z, z}. 

Suppose that ^ is a closed seroless reduction of M which is bounded by {r,x,£,y, y,r,z}. 
We show that N determines a 3-coloring 7 : V —* {1,2,3}. First, if 1 < i,j < n, then exactly 
one of the following seven statements h<dds: Ny < 1 ’, Nij < x, Nij < i, Afy < y, Aly < p, 
Nij < X, and Aly < 1. Now we look at the possible values of ffu and Na for an arbitrary t € K. 
We have Nix <V,Nu<*-¥y+x, Nix <x + y + x. Hence there are nine cases, six of which are 
ruled out because they contradict one of the hypotheses. For example, if Nu < * and Na < y, 
then by (iii) we have 

Nix<V- NuiNix < y • x;y = 0 

contradicting the assumption that N is sezoteas. The following table shows which cases are ruled 
out by hypotheses (ii)-(vii). 



Nix < X Nix < y Nix<x 

J^li <* 

No, by (ii). No, by (iii). 

^ti < V 

No, by (iv). No, by (v). 

Nu < X 

No, by (vi). No, by (vii). 


The remaining three cases are used to define 7 : K —» (1,2,3}. For every 1 € V, 


7(<) = 


if S * 

if Nii < y and Af« < y 
if Afii < X and Nn < x 


Now we must show 7 ( 1 ') j(j) whenever {i,j) € E. Since N is closed and AT < M, 

Nij<x + x, Nji<z-t-i. 







RELATION ALGEBRAS 





If 7 (t) = 1 then Nt% < x, lo by (ix) ne get 

< (* + V + *) • NjiiNi) 

<(* + »+*)•(* +f);* 

<(» + » + *)-(»;» +f;*)<y + *. 

Thoefore, either Njj < y and 7 (i) = 2, or elae Njt < x and y(j) = 3. Thua 7 ( 1 ) ^ t(j). If 
7 ( 1 ) = 2 then Nn < Vi >0 

< (* + V + *) • 

< (* + »+»)•(* + *);» 

<(* + » + »)•(»:»+*;»)<* + *• 

by (vi). Thua either Njx < x and t(J) = 1, or dae Njx < x and y(J) = 3. Again, 7 ( 1 ) / x(j). 
Finally, if 7 ( 1 ') = 3 then Nu < x> ao 


<(* + » + *)• .Nij 

< (x + y + *) x;(x + l) 

<(x + y + x) (x;* + x;i)< v + *. 

by (viii). Either Njx < x and y(j) = 2, or dae Mjj < x and y(J) = 1. Hence 7 ( 1 ) ji 7 ^;). Thia 
completea the proof that 7 (t) ji 7 O') whenever (i,j) € E, and ahowa that 7 ia a ^-coloring of G. 

For the other direction, if we have a 3-coloring 7 : V -» {1,2,3}, we can get a doaed aeroleaa 
reduction N <M which it bounded by {r,x,i,y, j|,x,Z). Set = y, Nu = S> ud Nu = 1’ 
whenever 1 < t < n. Fbr all i,j € V, aet 


% = • 

[ 1’ if 7(0 = tO) 

X if 7(0 > tO') . 

[2 if7(0<T(i) 

X if 7(0 = 1 

[x if7(0 = l 

Nu = ' 

y if 7(0 = 2, Na- < 

\y if7(0 = 2 


X if 7(0 = 3 

[* if 7(0 = 3 


f if 7(0 = 1 

[f if7(0 = l 

Nn = < 

y if 7(0 = 2 , JVaj = - 

y if 7(0 = 2 


2 if 7(0 =3 

[2 if 7(0 = 3 


It followa from (x)-(zviii) that N ia d oaed and ae ro t ee a . Obvioualy, N ia bounded by {!’, x, i, y, y, x, 2}. 
The fact that 7 it a 3-c(doring ofGis need to ahow that N <M. □ 

To aee the neceaaity of (x)-(xviii), oooaidet the fbUoaring example. Let G = {V,E) where 
V = {3,4,5} and £ = 9 . Ld 7 : V-* {1,2,3} be the 3-c(d«»ringof Gdefined by 7 (i) = t-2for 
every t € V. The reaulting N ia ahown below. The matrix N ia doaed iff (x)-(xviii) hold. 


Ar = 


1 ’ 

i 

s 

i 

* 


y X y 

r i i 

* V s 

y X V 

XXX 



CoroUarjr 5. CooMtniat aatiafiabifa'igr tor C 3 [{ 1 , 0 ), (0,1}] u NP-ampkte. The aame is true for 
say compass algebra with at leaat two diiectiooa. 


Proof. By Theorem 4, with x = a, y — e, and x = d. O 
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ThcM theorans cut be extended to ahow that eaaentially all but the most trivial compass and 
interval al^bras have NP-hard constraint satisfaction problems. 

6. Relational semantics 

The results in this section are stated without proofs. For proofs and additional details see [23] 
and [24]. 

Let £ be a progra mm in g language which contains two diiyoint classes of objects £p and 
Cc, called the predicates and commands of £, teq>ectively. The commands ate of two types, 
basic and compound. Among the basic commands are havoc, abort, and skip. There may be 
other basic commands, e.g., assignment statements, but they will not be treated here. The 
compound co mm ands are cloned under three fixmation rules, and every compound command 
can be obtained in exactly one of these three ways. 

(i) If So,Si are commands then so is So;Si. 

(ii) If S is a command and fi is a pre d i c at e , then do B—tS od is a command. 

(iii) If : i € /} is a set of commands and {B, : i € /} is a set of predicates, then 
if i;Bi—>5,- fi is a command. 

If {Si : i € f} = {S} and {flj ; i € /} = {B} we denote ifi:Bi—►5,- fi by simply if B—*5fi. 

I m agi ne that B is a set of machine states, that each command S has an associated ‘^nput- 
output relation” r 5 containing all pairs of states (p,g) for which there is a terminating compu¬ 
tation of S starting at input state p and ending at output state q, that each command S has a 
“nontermination relation” es of the form ExU, where E is the set of states initiating nontermi- 
nating (or “eternal”) computations of 5, and thM each predicate B has a correqionding relation 
da of the form X x U, where X is the set of states satisfying B. An element c of a relation 
algebra is domsta element is x;! = x. Thus es and dp are domain dements of 9U(ff), and 
9U(I/),r,e,d is concrete example of an “interpretation”, called an “(H>erational interpretation”. 
The concqit interpretation is generalised Rom this concrete case and defined for an arbitrary 
relation algebra aa follows. 

Definition 6. An interpretation of £ is a rdutioa algcbn 91 = (A, +, •, “,0,1, f, ;,”,0’, 1’) to¬ 
gether with three maps 

T :Cc —* A, e ; £c A, and d : £p —► A, 

» 

such that 

(i) es;l = es for every command 5 € Cc, 

(ii) dn;l = dx f<x ewy indicate B SCr 

Each command S baa its aaaodated “weakest-iiheral-preconditiao” and “weakest-preconditioo” 
transformers (and their duals), defined by 

(i) wlps (x) = rs ;g = fsU, 

(ii) wps (x) = rs.x es = (fjt*) • *s, 

(iii) wlpj (x) = wlps(g ) = rs 

(iv) wpj (x) = wps (x) = ts ;x -1-es. 

In case x is a domain element, wlps (x) is called the “weakest liberal precondition guaranteeing 
x”, and wps (x) is called the “weakest precondition guaranteeing x”. 

Theorem 7. £f x is a domain element, then w^is (x) and wps (x) are also domain elements. 

We will usnally apply the functions wlps (*) ud wps (-) only to domain dements, although 
they are defined for ^ elements of the lelatkHi algdira 91. The extended definition allows the re¬ 
covery of rs Rom wlps (-)> dnee rs = wh >5 (!’)• The extended definition allows smnething more. 
Siqrpose we consider two commands So, Si, and we wish to construct fimn them a oonunand So 
such that rsa ;rsi < rs.- A ccording to De Morgan’s Theorem K, this condition is equivalent to 
rs, < *5r;rs,, but fs^:rs, = (wlps, (rs,))r, w we can use any Sj such that rs, < (wlps, (rs,))^. 


# 



# 
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The relation 75^;r5, is called the ‘Sreakest preapeciiication” of So and Si [13, p. 684]. The 
weakest prespedfication was explicitly mentioned by Peirce in [38] (under a different name, of 
course). The converse-dual of the weakest prespecification, namely T;y, was already introduced 
by De Morgan in [35] and called ‘progressive invcdution” by Peirce. Many algebraic laws gov¬ 
erning this operation can be found in [42], and some of them are proved in [14] and [15] from a 
different axiomatisation ftx rdation algebras. 

Theorem 8. The following laws bold for arbitnry interpretations. 

(i) wps(x) = wlps(*) *s, 

(ii) wlps (1) = 1, 

(iii) wps (1) = 8s, 

(iv) wps (*) = wlps (*) • wps (1), 

(v) rs = wlpj(l’), 

(w) es = wpj (0). 

(vii) wlp 5 (-), wlps (-), wp 5 (-), and wps (•) are monotone (preserve inclusions), 

(viii) wlpj (-) distributes over arbitrary joins, 

(ix) wlps (-) distributes over srbitrsry meets, 

(x) wp 5 (-) distributes over nonempty joins, 

(xi) wps (-) distributes over nonempty meets, 

(xii) wlps (*) wlps (v) = (* • k), 

(xiii) wps (*) • wps (v) = wps (* • y), 

(xiv) wps (*) • wlps (y) = wps (x • y), 

(xv) If wps (0) = 0 then wps (x) < wlpj (x). 

Definition 9 bdow is baaed on the remarks in (9, p. 137]. What is actually used as a definition 
of “5 is deterministic” in (9] depends on the assumption that wps (0) = 0, and appears in 
Theorem 10. Deteiminiim in the arbitrary case is characterised in Theorem 11, which says that 
5 is detenninistic if and only if rs is a partial function, and no state initiates both a terminating 
and a nonterminating computation of S, t.e., rs and es have diqoint domains. Note that a 
determinirtic S can still have nonterminating cmnputations. 

Defiaitioo 9. A command 5 € £c i* detenninistic if wlp| (x) < wps (x) for all x. 

Thaorem 10. If wps (0) = 0, then 5 is deterministic iff wlp 5 (x) = wps (x) for all x. 

Theorem 11. A command S is deterministic iff rs;rs < 1’ and tg -^s = 0. 

Now we turn to the definition of a “correct” interpretation, one which respects the intended 
meanings of the basic commands and comnumd structures given above. The remarks following 
Definition 12 are justifications for the oorteqmndingly labeled parts of Definition 12. In moti¬ 
vating the definitioa cff correct interpretation we freely form joins which, in case we ate dealing 
with an algebra 9b(ff) of all binary relations on the universe of states Cf, are simply unions and 
certainly do exist. In the abstract ddinition, however, we need to know that various joins exist, 
and so, in order to avoid lengthy formulations of results, we ask that the relation algebra used 
in a correct interpretation be complete. 

DoAnitsoo 12. An interpretatfon is correct if 91 is complete and the following conditions bold. 

(i) tsMc = 1 and eiMMc = 0- 

(ii) tssmt = 0 and estmt = 1- 

(iii) t-Mf = r and CMdp = 0. 

(iv) For all commands 5o,5i,rs,-,5, =ts,;rs, andes,;s, =es,+ rs,;es,. 

(v) For all /-indexed sets {B,-: t € /} of predicates and : t € /} of commands, 

riH:B.-.S.S= E(<1 b. •^5,), e}f<:B.-.5,* = II + E (<*«. •®5.)- 
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(vi) For every predicate B and every coounand S, 

re»B-.s*4 = E ((‘^B Is)*; (3^1’)), : V < • (es +r5;y)}. 

•€w 

Remarks oo parts of Definition 12: 

(i) Every execution of havoc tominates; upon termination the machine may be in any state. 
Thus every state is connected to every other state by a terminating computation of havoc, and 
havoc has no nonterminating computations. 

(ii) FV>r every initial state the execution of abort fails to terminate, that is, every state initiates 
a nonterminating computation of abort, and abort has no terminating computations. 

(iii) Every execution of skip is guaranteed to terminate and leaves the state of the machine 
unchanged, that is, there are no nonterminating computations, and every computation has the 
same final state as initial state. 

(iv) The operational interpretation of So;Si is “lust execute So, then execute Si”. Thus a 
terminating computation of 5o;Si starts at astate that begins a terminating computation of So 
that ends at a state that begins a terminating computation of Si that ends at the final state of 
the computation of Sb ;Si. A state initiates a nontominating computation of So ;Si if it either 
initiates a nonterminating computation of So, or doe initiates a terminating computation of So 
that ends at a state that begins a nontenninating computation of Si. 

(v) A computation is a terminating ccm^intatirHi of if rB,—*Si fi if, for some i € /, it is a ter¬ 
minating computation of Si whose initial state satisfies Bj. The states initiating nontenninating 
computations of if t:Bt—*Sifi are those in which no B( is satisfied, together with those which, for 
some i 6 I, satisfy Bi and initiate a nonterminating computation of Si. 

(vi) A terminating computation for doB—»Sod is a ihiite sequence (possibly empty) of ter¬ 

minating oomputationa of if B—>Sfi, such that the last computation tenninates at a state not 
satisfying B. Consider a state p fram which a nontenninating computation of doB—>S od is 
possible. First, B must hold at p, race otherwise the execution of doB—*5ed would termi¬ 
nate immediately. Therefore p in the domain of dn- Since B h<dds, 5 is executed. This either 
leads to a nonterminating computation of S, that is, p is in the domain of es, or else there 
is no such nonterminating computation. Therefore p must initiate a terminating computation 
of S, for if not, we would have a state satisfying B from which no computation of 5 is pos¬ 
sible, contradicting our assumption that p does initiate a computation of do B—*S od. Thus p 
initiates no nonterminating computations of 5, bat does initiate a nonterminating computation 
of do B—•Sod, so at least one of the terminating computations of S must end in a state from 
which a nontenninating computatimi of do B—'Sod is possible. This conclusion is equivalent to 
asserting that p is in the domain of ts ;« 4 »B—St 4 . Putting these inclusions together, we conclude 
that any state in the domain of es»B->5*4 must be in the domain of dn ■e5-fr5;es»n—s*4> that 
is, < dB • («5 + ts ;«s»B.. 5 «s)- Thus es.s^sw » » sdution of y < da • (es + ts ;y). 

Conversdy, we can argue that if y < da • (es -I- rs;y) then y < es*a—xw- Indeed, a state p in 
the domain of y must satisfy B, and «ther a nonterminaUng computation of S is possible from 
p, in which case p initiates a nonterminating computation of doB-»5od, or else p initiates a 
terminating computation of S that ends in a state p' which is again in the domain of y. Either 
// initiates a nonterminating computation of S or a terminating computation of 5 that ends 
at a state p" in the domain of y, and so on. We either eventually get into a nonterminating 
computation of S, or else create an infinite sequence of terminating computations of 5. Either 
way we get a nonterminating computation ^ doB-»5od, so p is in the dcxnain of es>B—5*4- 
Since es»B— 5*4 >* a domain rdation, this argument is enough to show y < es>B—5«4- Thus 
e 4 »B-. 5«4 i»i in f*ct, the largest solution of y < dn • (ey + ts :y). Let /(y) = dy • (ey + is :(y))- 
Then / is monotone, so by Ihrski’s Fixed Point Theorem [4^, the largest solution of y < /(y) 
i* : y ^ /(v)}- therefore set es(B-5*4 = ^{y: y < /(y)} in Definition 12. 

Incidentally, Tarski’s Fixed Pmnt Theorem (4^ also asserts that J^{y : y < /(y)} = ][2{y : 
y = /(y)}, so e 4 »B-> 5*4 the largest fixed poiiU of dy • (ey -l- ry;(-)). We can also express 
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sw is the smailwt fixed point of the function 3 b f + dn • rs i.t., = fliv - 

3b r +dfl •r5;y < y}. 

Definition 12 is concerned only with those language features used here. For our present 
purposes, the predicates of C need only form a nonempty set, but if the predicates of C contain 
constants tnie, false, and are closed under standard connectives of propositional calculus, then 
the following conditions could be added to the definition of correctness. 


dim, = 1 dwM = 0 

d-iB = 3 b dBAC = dB • dc 

dBvC = dB + dc dB—C = 3 b + dc 

dB«.c = dB • dc + 3 b ■ 3c 
Correct interpretations are extremely abundant. 

Theorem 13. For every ianguage C and every complete relation algebre fi, if we assume that 

(i) d is aiur map iram predicates to domain elements of 2, 

(ii) r' is ai^ map from basic commands to ekments of9 such that r'(havoc) = 1, r'(sbert) = 
0, and r'(skip) = 1’, 

(iii) e' is a aiiy map fiom basic commands to domain elements of 91 such that e'(havoc) = 0, 
e'(abart) = 1, and e'(sldp) = 0, 

then r' and e' can be extended in a unique wtgr to maps r and e such that 91, r,e, d is a correct 
interpretatioTL 

Theorem 14. The tMowing laws bold for an arbitniy correct interpretation of £. 

(i) wlpkMc (*) = Ot*, WPIMMC (*) = Of*, 

(ii) wlp^ (*) s 1, wp^ (*) = 0, 

(iii) wlp^i, (*) a *, wpus, (*) = *, 

(iv) Wlp5,;s. (*) = wlp5, (wlps. (*)), 

(v) wps.:s, (*) = wps, (w p5. (» )), 

(vi) wlp|,<:B.-.S<« (*) = n (3^ + (*)). 

<€/ 

(vii) wpifj;B.-5.a (*) = n (35r+’n>5, (*)) • E 

i€/ _ <6/ 

(viii) wlps,B-S«S (*) = E ( (<*» • ts)' ; (3 b •») ) = n (^ipSB-Ss)* (dB + *), 

_ 

(ix) w 4 >s>b-. 5 «s (*)» tie largest solution y of (dn + x) ■ (3 b + wlps (y)) = y, 

(x) wps»B-. 5 «s (*) is the smallest eolation y of (dB ■+■ *) • (3b + «P 5 (v)) = V, 

(xi) wlps.B->5«e (») = E{»: (3a + ») • (3 b + w^s (»)) = v). 

(xii) wps, b-5«s(*) = n{» : (3 b + *) • (3b + wps (»)) = v}- 

Theorems 14 and 8 show that wlp. (•) and wp. (-) qualify as predicate transformer semantics 
according to the reqairenMOts of (9]. The requirement [9, RO, p. 132] (which also ^>peais as [9, 
(0), p. 129]), that wlps (*) distribute over a^trary meets, holds Iqr Theorem 8(ix). Note thm 
eorrectness the interpvetation is not needed for RO. Definitions [9, (10)-(18), pp. 133-136], 
which ^>ectfy wlps (-) end wps (-) in case S is havoc, abort, or skfy, hold Iv Theorem 14(i)(iiKiii)- 
Definitions [9, (^)^25), p. 137], which specify the predicate transformers for the compoaitioa 
of commands ^;Si, hold by Theorem 14(ivKv). Definitions [9, (27)-(29), p. 137], for the 
alternative construct ift:R{-*^fi, hold by Theorem 14(viKvu). Fin^, Definitkms [9, (l)-(2), 
p. 171], for the repetitive construct doR->5ed, hold by Theorem 14(ixKx). 

The equatkm rs;l +es = 1 asserts that every state initiates either a terminating or a nonter- 
miaatiiig of 5 (9, p. 130]. This equation is equivalent to wp^ (1) = 1 and equivalent 
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to wp 5 (0) = 0. This ls«t equstioD has been called the of the excluded miracle”. Theo¬ 
rem 15 below shows that the basic cmnmands havoc, abort, and skip satisfy this “law” under 
any correct interpretation, and that if the other basic commands also do so then all commands 
do so and the interpretation is “miracle-free”, i.t., wp5(0) = 0 for every command 5. Any 
miracle-free interpretation gives rise to predicate transformers that satisfy all the requirements 
ot[% 

Theoram 15. (i) wp^^ (0) = wp,k«, (0) = wp^(O) = 0. 

(ii) If wp 5 , (0) = 0 and wps, (0) = 0 then wps,;s, (0) = 0. 

(iii) If wp 5 . (0) = 0 for every i € /, then wpuj (0) = 0. 

(iv) irwp5(0) = 0 then wp4.a~SM(0) = 0. 

(v) If wp 5 (0) = 0 fbr every basic command 5, then wp 5 (0) = 0 for every coaunaad S. 

FVom their operational interpretation it is natural to expect that skip and abort should be 
deterministic. It is also natural to say that havoc is not deterministic, since, in the operational 
interpretation, a computation of havoc can start at any machine state and end at any other. 
However, even under the operational interpretation there is one case in which havoc really is 
deterministic, namely, when there is only one machine state. These ideas are expressed formally 
in the fii^lowing theorem. 

Theorem 16. (i) skip and abort are deterministic. 

(ii) havoc is deterministic if and onfy ifS is Boolean, i.e., 1’ = 1. 

Some obviously sufficient (but not necessary) conditions for determinism are given next. 

Theorem 17. (i) USa and Si are deterministic, then so is 5b ;5i. 

(ii) Asnune 5, is deterministic for every i€t and dg, -dn, =0 whenever j and i,j € I- 
Then »5ifi is deterministie. 

(iii) IfSu deterministic, then so is do B-*Sod. 

Next is a generalisation of what is called “the Main Repetition Themem” for doB-*Sod in 
[9]. An informal statement of this result runs as follows. Assume 

(i) P is a predicate, 

(ii) if P and B hold at some state p then no nonterminating computation of 5 is possible 
from p, 

(iii) if P and B hold at the initial state pi of a terminating cmnputation of S, then P holds 
at the final state pt, and the initial state pi is in the relation G to (is “greater than”) 
the final state pj, i.e., (pi,pj) € G, 

(iv) there is no in^te aequenoe states such that P and B hold at every state in the 
sequence, and each state is in rdation G to the next state. 

It follows from these aaramptions that wps,B^ 5 ,e (P) holds where P does, that is, P is a 
sufficient (but usually not necessary) conffition ^ the guaranteed termination of doB-»5od 
at a state satisfying P. Theorem 18 generaliaes the Main Repetition Theorem in two ways. 
First, it does not include the aasumpticm that G is transitive, a possibility noted in [9, pp. 174- 
5]. Second, it applies to interpretations over arbitrary complete rdatimi algebras, not just 
rep r es en table rdation algebras of the form 

Theorem 18. Assume !fi,r,e,d is a correct interpretation of C, S ie a command, and B is a 
predicate. Far aUp,g in% if 

(i) p;l = p, 

(ii) p da es = 0, 

(iii) p-dp -ts^g-p, 

(>'^) : * < P • • g;(P • ■ *)} = 0, 

P < (p)- 


# 

















- 92 - 


• • 








RELATION ALGEBRAS 


References 

1. JaoMS F. ABw, Am imt<rM/-iMW f«rfM«m<4ti»m •/ ttmp»nl kuowltdft, P rocemdiBgi of the Seventh later- 
ntionnl Joint Coofamnee <n Aztificial InteUifenee, (UCAt), 19S1, pp. 231-236. 

3. , itumtumimg hmewieJf* aiomt iempetml imtermei*, Commiinirmtione of the Aioociation (or Comptitinc 

Machinenr M<11) (Nnoihir IMS), S33-M3. 

3. JoBM F. AUen and Patiidt J. Hagraa, A ceatmemeeiue theory o/ Nine, Prooaedinci of the Intenatioeial Joint 
Cow fw it n OB Aitildal IniailiceBoe (UCAI), IM6, pp. 536-531. 

4. I Ifomente and potate im am iat e nia i i ae aJ teotpofnJ Itgie, Tech. Report TR 180, Department of 
Compntar Sd en ce , Ihuvmnhty of Hocheatar, Oeoenber 1M7. 

5. Jamee F. Allan and Johaanm A. Koomcn, Flamntaf oetnf a temporaJ irorM mtiti, Procaadinsaof the Eaghth 
htenutioiul Joint Confaranceoat AftiEieiaHntelliteiu‘e,ICatlanihe, W. Oenaany, Angnat IMS (UCAI), 1M3, 
pp. 741-747. 

6. George Boole, Am imeaatifafiem a/ the lane e/ thoapht am mdieh art /ammfeJ the mtathemtatioa/ theariee a/ 
lapie amd prehahth'tiee, Waitan and Mabatley, L ondon, 1854. 

7. , He OMthemialieal amaipeie »} iepic,* hetmp am eeeap tamierde a eaiem/ae a/ dadmetiac rmaeammp, B. 
niaihnall, Osfatd, 1948, drat pnhtiehed in Londno and Cambridge, 1847. 

8. f nniae H. Chin and AUhad Thmki, Dtetn'hattae amd aiadaler laoie im the an'thetetie a/ re/atiam tigeiimt, 
Univarnty of CalUbmia Pnbiieationa in Mathamatka, New Seriea 1 (1951), 341-384. 

9. EdagerW. Diikatm and Caial S. Schehan, Fiadieatc Caiemlma and Frapreat Semamtiee, Springer-Veilag, New 
Yorit-Beriin-Kaidaiberg, 1990. 

10. Michael R. Garey and Daaid S. Johnaon, Campatera and /atmetihth'ty, A Gntde to the Tktorg »f NP- 
Canipieteaeaa, W. H. FVaamaa, New York, 1979. 

11. Leon Konkin, J. Donald Monk, and Alfred Ihraki, CgHmirie AJpehrna, Fart f, Nortk-Hollaad, Amatatdam, 
1971. 

12. __ Cglmiric A|pcifma, Fart II, North-KoUand, Amaterdam, 1985. 

13. C. A. R. Hoare, L J. Hapea, He Jifeng, C. C. Morgan, A. W. Roacoe, J. W. Sanderm, I. H. Sormnaon. J. M. 
Spivey, and B. A. Snfrin, Lataa a/ prapmimnump, Conmnicationa of the A. C. M. (Angnat, September 1M7), 
673-886,770. 

14. C. A. R. Hoare and He Jifeng, Ha waahaat prtapaet)ieattam. Fart I, Fund amenta Infiwwial ica 9 (1966), 51-84. 

15. , He oMahaat preapeetdoatiam. Fart 17, FVndamanta fadoamatica9 (1M6), 217-352. 

16. Bjami Jdnaaon, Variatiaa a/ ralatian a^ahma, Algdbrm Uniaaraalia 15 (1963), 373-3M. 

17. . Ha thcary a/ himary raiatiaoa. Algebraic Logic (Proe. Coaif. Bndapaat 1988) (Amaterdam) 

(H. Andrfhn, J. D. Monk, , and L NdmeU, eda.), Colloq. Math. Soc. J. Bolyai, voL 54, North-HoUand, 
1991, pp. 345-393. 

18 Bjami Jdnaaon and Alfred Thrald, Baalaam alpehraa with apenatara, Fert 17, American Journal of Mathematicm 
T4 (1953), 137-163. 

19. Peter B. mid Roger D. Maddns, Acprcaamtatiam and rtaaamimp with camaar hmc inferaala, Tedt. 

Report KES.UA8J, Keatral laatitnte, April 1988. 

30. I On himary eematraint prahlanta, Tech. Report TR 103, DapartmdU of Computing Scianoe and Matb- 
ematicm, Univeraity of Stirling, April 1993, tmviaed Fefamary 1993, to ^pear in the Journal of tbe Aaaoc i atio n 
for Computing MoAinary. 

31. I On himary eanatimimt matwarha, Tech. Report KES.UA8A, Kaatral Inatitutc, Nommber 1968. 

33. Roger C. Lyndon, Ha rapfeaemtatiam a/ reiatiama/ a^ahtna, Annab of Mathematka (aarka 3) 51 (1950), 
707-739. 

33. Bogean 4 The deftmatian a/tha Dphatm-Schaltan pTodioatc tfuna/anmer 

acmantica fraat Tarahi’a aaianM /ar tha Fairea-Sehradar oalemlaa a/ reiatiama, to a p pea r in the South African 
Computer Journal 

34. I The mwrhinp rclatianal atadal /ar predieete tnma/anmar aamtamtiea, anbenitted to Tbeoaetieal Coen- 
puter S fionce . 

35. __ Tapica in llaittiam Alpehma, PU>. th ea i e, Unhmraity of C a Mfnm ia, Berkeley, 1978, pp. iii-l-341. 

36. , Santa ewriatiaa eamtaiminf rclatiam alpahma, Thnnancthma of tbe Americ a n M athe m atical Society 
3T3 (1963), 501-536. 

37. __ Finite mtegenl .nlatiam alpahtua, Univtraal Algefam and Lattice Theory, Springar-Varlag, 1965, Pro- 

diag. ft the Southaaatem Ceederence in Unraaraal Algefam and Lattice Thecty, Charleatoet, S.C., July 
11-14,1964, Lecture Notea in Mathmatire 1149, pp. 175-197. 

38. I /ntrednetary eamraa an ralatian ajpehma, jlnitt-dintcnaianel eylindrie alpehraa, and thdr inicrean- 
naetiana, Algefarak Logk (Ptoc. Conf. Bndapaat 1968) (Amaterdam) (H. AndrOn, J. D. Monk, and L Ndmeti, 
eda.), Colloq. Math. Soc. J. Bolyai, aoL 54, Noetb-HoUand, 1991, pp. 361-303. 

39. __ Fair^danac relatian alpehraa, TVanaactiona of the American M at hem at i cal Society 338 (1901), 83- 

131. 

30. I He aripin a/ ralatian a^ahraa in tha davclapniant and axiamaticatian a/ the ealenlaa a/ relatiena. 

Studio Logica 56 (5/4) (1991), 431-455. 


















-aa- 




ROaER D. MADDUX 


31. J. Malik and T. O. Biafiitd, la <im< Proraadhip of the Eichtk latcniational Joint 

Coofemoe on Aiti&dal kitalliganoa, Karianiha, W. Gannaay, Aocnit 1M3 (UCAI), 1M3, pp. 343-345. 

33. J. M. Maitin, Diettoaarf »/ i’kt/uop&f aaJ PtfektUft, Macmillan Ic Co., New Yo^ 1911, taoood edition. 

33. J. Donald Monk, Da rcpneeatalle relalioa Midufan Mathematical Jonnal 11 (1M4), 307-310. 

34. Ancuata* Dc Moffan, Oa (kc efoeleie oj lafie, <kc Ueerf tf tic ef/lofuai, aad ia parheidar »J the oepala, 
aad (kc appk'eatiea »t tkc tkeery tf prokaktklaee to eeate faeehaaa ia <kc tkcety a/ eeideace, Ikaaaactiona of 
the Cambcidce Philoaoplneal Sociaty • (1856), T»-13T, lapiintad in [3^. 

35. __ Ob tke aylleywae, aa. IV, aad aa <ke lafie a/ ralah'aaj, TVaaaactioataof the Cambcidce Phikiaoiihical 

Society 10 (1864), 331-3S8, repciwteH in [3^. 

36. , Oa tke SfUtgum, aad Otker tofioal WVitmfe, Yale Unieeraity Piaaa, New Haaen, 1966, edited, with 
an InUodnction by. Pater Heath. 

37. Charlea Sandata Peiroa, Deaenytiaa a/ a aatahaa jtr tke lafie tf relafiaca, reaaltiaf frtm aa etayk/ieatiaa tf 
tke eaaeeytiaaa tf Bttlt't ealealaa tfltgic, Meanoiraof the American Academy of Sdencea 9 (1870), 317-378, 
capeintad by Weldi, Bigelaw and Co., Cambridca, Maaa. 1870, pp. 1-63; alao mpcwted in and [41]. 

38. , Oa tkc e^ekta a/lafie, American Jonmal of Mathematiea 3 (1880), 15-57, laprinted in [tl^. 

39. , ,1 , IVatc B: tkt It/ie a/falatiaea, Stndiaa in Logic by Memhera of the Jolma Hophina Uniaarnty (Boaton) 

(C. S. Paitoe,ad.), little. Brawn, and Co., rant, honlt »;tlifcy Max H. Piadi arMa 

Pr«4«>i»liy AAimgarllKaeli hy Inlm lt«,^j«»«m.PnMiAmgf!„ , .imI lOnt p|, 

ai-f303; paper reprinted in [4(4, pp. 187-303. 

40. ,., Calleetef Papere, Vohuac fTf. Harvard Univernty Preaa, Cambeidte, 1933, edited by Chariea 
Haitehome and Paul Waiaa. 

41. I HVitiafa tf Cktrltt S. Peirce, A Ckrtmtltfietl Eiitit* , Univenity Praaa, Blooaninctoer, 

1984, edited by Edward C. Moore, Man H. Fiach, Chriatian J. W. Kloeael, Don D. Roberta, and Lynn A. 
Ziecier. 

43. F. W. K. Eraat Schrader, Vorlceaafea aker fie Alfckra fer Ltfik ^ecaete Ltgik), Vthatt 3, Alfekra oaf 
tcfik fer Relative, pert /, aenond ad., C h e l aaa, Brotuc, New York, 1966, Brat pnbliahed hr Le^aic, 1895. 

43. R Q. Simnwir, Tke aee tf faaatitative oaf yaeiitative eiaealativae, Prooaadincaof‘Ihird National Con f e r ence 
on Artificial latellicoiwe (AAAI-83) Waabh^on, D. C., Angnat 1983,1983. 

44. Alfiad Ijareki, Oa tkc ealealaj tf rtUhtut, The Jormal of Symbolic Logic 8 (1941), 73-89. 

45. I A lattiee-tkeerctioal jEipeiat tkaarcai oaf ite eppkeatieaj, Pacifle Joamal M Malhem a tif e 5 (1955), 
385-309. 

46. Al&ad Ihnki and Steven R. Givnnt, A Permafieatiea tfSH Theory witkeat Vanaklee, CoUoqniitm Pablicn- 
tioru, taL 41, American M a them a tir a l Society, 1987. 

47. P. O. van Beak, Aateoataf ekoat yaah'tative teatpetal tp/oraiatioa, Procaedinga of AAAL90, the Eighth 
National Coitlarvaoe on Artificial htteOigence, AAAI Praaa, 1990, pp. 738-734. 

48. P. G. vnnBeekandR. Coherr, Apptvciraation alf oritkate/or tcmpoial reaeoaiaf, Procaedinga of IJCAI89, the 
11th Joint Conference on ArtificallnteHigenoe, Morgan Kanftnann, 1969, ahoit vercionof [4iH>PP' 1391-1396. 

49. I Exact aaf approximate taaeoaiaf ekoat temporal rdatioae, Compotalhmal Intelligence 8 (1990), 
133-144, long vertion of [48]. 

50. J. F. A. K. van Deirlhiim, Tke Logit tf Time, RaideL 1963. 

51. M. Vilain and H. Kanta, Coaetraiat propefatioa alforitkme /or temporal reaeoaiaf, P roc e edingeef AAAI-86, 
Morgan Kaoftnaim, 1966, pp. 377-383. 

53. M. VUain,H. Kanta, arMP.G. vanBeek, Coaetraiat propefatioa alf oritkme/or temporal reaeoaiaf, Re a dhi g a 
hr ()aalititative Raaaoniitg About Phyaical Syatema (Wdd arul de Klaer, ada.), Morgan K an fin a rm , 1969, 
reviaad v e r ai on of [51]. 

S3. AHted North Whitebaad and Bertrand Rnaaell, P ri aeipi e kfatkemetiea, Volame f, Cambridge Umvanity 
Prem, Cambiidge, England, 1910, Second editian, 1935. 

DcPAimaNT OP MATHmunci, 400 Carw Hau,, Iowa State UmvinsnY, Amb, Iowa 50011-3066, 

U.S.A. 

E-mail affreee: m n ddun Bv inrent i aa t a te edn 





m 








• • 










34 



Categoiy theory and information system 
engineering 

Michael Johnson and C.N.G. Dampney 


Sekoal of aod CompmUmf, Macqutae Vnhietmtjr 

AUSTRALIA 


Abstract 

This paper it a Mmmaiy of a talk far AMAST 1M3. Tbe actaal 
talk ooataiaa wampha dtawa from hariaraa appbcatfaaa wkkk becaaae 
of ooafidaatiaMtjr acMasMata caaaot b« paUUiad hare. It ia hoped that 
we win obtaia pemiiaiina to pabiiah the eramplea ia the faul paper. 

We oatliae a aaoiber of appBcatioaa of cat e g ory theory to iaforatatfaa 
ayateaa eagimeenag ia aiajar buiaeaa eBterpriaeB. Theae applicatiaaa have 
fad to aew aiethodologfas ia ER-aaoddliag, ooaatraiat apecifeatioa aad 
(wooaaa aiodelliBg. They also aoggaat aew bat as yet eataated tachaiqeea 
far iafanaatioa syatem partitioaiag aad artAitectare. 

Oar aaaia theab ia that efameatary category theoretic aotfaaa caa have 
importaat valae ia the “real wodd” of software eagiaecriag. 


1 Introduction 

There have beea many appUcatkaia at category theory to computer adence and 
theae have been recorded in textbooka (eg [11] [1]) and conferaice proceedinga 
(eg [3] [6]). Surprisingly few at these applications have yet filter^ down to 
affect strftware engineering metbodedogies, and to the authors’ knowledge none 
of them has influenced information syatem engineering m e thod o logiea (although 
there have been several category theoretic treatments of information systems, 
see [7] [1(Q [i^ [(Q). In this paper we record some dementary categorical ob¬ 
servations abmt information systems and show how th^ have led to imiwoved 
methodologies fm information system engineering. The results reported here are 
eaa«aiti«lly empirical, and ate baaed on consultancy work that we have under¬ 
taken for Tdecom Australia and Caltex Oil Australia as well as several smaller 
enterprises. 

liie paper is organised as follows. Section 2 briefly reviews information qrs- 
tems and the dominMt methodology for planning information syston designs 







which ia ER-moddling. In Section 3 we review the definition of a category and 
indicate how an EBrOsodel ia eaaentially a category—the clusifying categorg ot 
tktorg for the information ayatem. A brief anaiyaia of thia view ahowa that the 
categociea that we need to deal with are at knat lextenaive [2] and that the 
category theoretic treatment givea a query language for 6ee. In Section 4 we 
note that the main difference between an ER-moM and ita claaaifying cate¬ 
gory amounta to the q>ecification of integrity conatiainta upon data which can 
be atored in the information ayatem. Thia haa led to a change in the main 
methodologieB by giving conatraint apecification a much greater role in the de¬ 
velopment ot informatioa modela. We ahow how to treat both atatic conatrainta 
and dynamic conatrainta (theae latter are often buaineaa rulea ot government 
regulationa which may be changed during the life of the information system). 
Section 5 treats prooeas modelling which is traditionally the next stage in the 
development of a system after inf<»mation (ER) modelliag and it shows how 
the categorical treatment greatly aimplifiea process modelling. FinaUy Section 6 
records implications of the category theoretic framework for developing different 
user views of an information system and for the underlying architecture of the 
system itself. 

Overall our approach has become known as the Federated Information Sya^ 
tern (FIS) approach to information system engineering. 

Acknowledgiiients: The authors gratefully acknowledge the Australian 
Research Council (ARC) and Caltex Oil Australia for supporting this reaearch. 

2 Information Systems 

There is little need to discuss the importance and pervaaiveneas of computer 
technrdogy in our aociety. Yet for those of us who work in academic institu¬ 
tions at least, it ia easy to carry a biased view of the nature of its applications. 
Many of us focus on important issues such as algorithms and complexity and 
we often have a background in scientific computation. Yet the great major¬ 
ity of commercial ^>|dication8 require very lit^ cpmpsfsftsn. Banks, airlines, 
stock exchanges, td^hmie utilities and even manufoctnrers and distributors 
use computers mostly to store, retrieve and poform simple transformations on 
information. The construction and maintenance of these imformoiion sysfems 
is the mejor «ivi»*nse item in many commercial informatimi technology depart¬ 
ments. 

As is the case with most software engineering projects a great bulk of the 
expense in information ^stem engineering occurs after the production version 
of the system has been produced because of the need for maintenance and 
modification. This expense can be substantially reduced if sufficient efiixrt is 
expended in the pl anning stages to ensure that the infmmation eystem is an 
accurate modd of the busineas enterprise aspects which it is intended to sup¬ 
port, and so information system analysts have concmtrated on devdc^ing good 





methodologifla for infomuUioa system specificstioa end development. 

One of the easMst mistekes to meke in developing en informetion system 
is to b^in by considering whet the orgenisetion believes needs to be done by 
the system. As busineiB develops these needs chenge rspidly, end modifying e 
system which has been designed to perform e perticular task can be very diffi¬ 
cult. Tnstead we should focus on whet informetiott the business needs to keep, 
end build a system which stores that information and which is able to utilim 
it as flexibly as possible. It is empiricaUy well established that the underlying 
iit/brmsftsa model a business changes rdatively slowly and that the changes 
are usually incremental rather than revolutionary. 

Thus, information system engineering usually b^ins with the development 
of an information model. There are several ways that such a model can be 
represented, but by far the dominant technique is called Entitf-Relotionekip 
(ER) modelUmt [4]. 

The ER appro^ is a graphical modelling technique. An e*tit$ is a class of 
something about which the business needs to store information. Elzamples might 
include CUSTOMER. EMPLOYEE. ORDER. INVOICE and PRODUCT. Each en¬ 
tity will correspond to a set ctf things at a particular point in time (for example 
the current art of employees). The information that we store about entities 
comes in two forms: there are nietionekipe between entities (for example an 
order may be for several products and a product may ^pear on several orders 
so there is a many-to-many relatioaship between PRODUCT and ORDER) and 
entities have certain sftnistes (for example a product may have a product num¬ 
ber and a price, an employee has a name, an address, a salary and so on). Often 
one attribute tot each entity is treated as the key mUrHote to that for example 
a product may be always acceaaed via its product number. Entities are utuadly 
represented graphically as rectangular boam, rrtations as lines joining the boxes 
(with “crows-fert” to indicate possibly multi-valued relations when ne ce ss a ry), 
and attributes as oval boxes. An example is shown here. 







PRODUCT 

>- 

-< 

ORDER 






^^roductJV^ ^ 




The graphical nature of ER-modrts is a very important aspect of their pop¬ 
ularity. OtW apedflcation techniques such as Z are more powerful but harder 
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to learn. The great value of a graphical mo^ it that an analyat can ahow it 
to buaineaapec^le and with only a brief explanation they can understand and if 
neceaaary correct the model. 

There it an extensive methodolog> of ER-moddiing including the reduction 
of modek to various normal forms. The details need not concern us here except 
for one aspect: Many-to-many relationships can always be transformed into two 
many-to^ne relationships by the introduction of a new entity. For example we 
can introduce an entity OROERjLINE. One instance of this entity will be the 
order of a particular product on a particular order. Thus these will be many- 
to^ne relations (functions) between ORDERJ.INE and PRODUCT and between 
ORDERJ.INE and ORDER. (This is just the usual ‘tabulation” of a relation.) 

3 Category theory 

A category consists of a collection of objects and a collection of srrvwj, with each 
arrow having a q>ecified source and target among the objects (this much is just 
a directed graph) together with a eomposiiio* of arrows, defined whenever the 
arroars have a common source and target, which is associative and has identities. 

Thus a category may be thought of as a directed graph together with infor¬ 
mation about composition. This information may be expreased by giving a set 
of relations (eg / CMnposed with g is equal to h composed with k) and those 
relations are often expreaaed as commutstioe disgnms (a diagram is said to 
commute if any two cmnposable paths of arrows in the diagram with common 
start point and common end point have equal composites). 

Examples of categories indude the category set whose objects are sets and 
whose arrows are functions between sets; grp whose objects are groups and 
whose arrows ate group homomorphisms; mwe generally T-alg whose objects 
are algebras from some theory T and whose arrows are T-homomorphi^ras; and 
numerous smsJl categories which can be generated by drawing a directed graph, 
adding identities at each vertex, and spedlying composites for composable pairs 
of arrows. 

One of the great advantages of category thec»y is that it haa provided a 
graphical framework for much of mathematics. Many properties that seem to be 
about the internal structure of objects such as being a one dement set or being 
the cartesian product of two sets, can be characterised by universal prr^perties 
of arrows and these permit graphical arguments to prove theorems. 

Further examples and definitions of specific univosal properties such as pull¬ 
back, terminal object and coproduct can be found in any of the basic texts [8] 











3.1 A category theoretic view of an ER-model 

We aim now to show how u ER-model is essentisUy s category. This is moti¬ 
vated by the categorical treatment of universal algebra above (the T-alg exam¬ 
ple) and is treated in full in [5]. By analogy with universal al^ra we will call 
the category the theery or etassifyinf eMiegorff oi the ER-model. 

Consider an ERrmodel, normalieed as described at the end of the preceding 
section so that all rdations are many-to-one. Hiis model may be viewed as a 
directed gri 4 >h whose vertices are the entities and attributes of the modd and 
whose arrows are the rdatkmahips oriented from the many-valued entity to the 
one-valued entity together with arrows from each entity to each of its attributes. 
Notice that if the vertices of this gr^h are thought of as seta, and the arrows as 
functions, then the intended semantics of the ER-model is still well rq>tesented 
here (and this can be made formal via a functM to set in the usual way). 

It remains to consider composition. Since the many-to-one relations in the 
modd are intended to represent real world mauy-to-one relations (functions) 
there are real world compositions and we argue that these should be repre¬ 
sented in the modd. Many of the cmnpositions are free in the sense that formal 
composites can just be added to the modd (or indeed left out since such for- 
mality can be added later), but when there is a dosed loop of arrows it is 
important to determine, by considering the real world semantics, whether the 
diagram commutes. Once this hss been done for all possible composites we have 
constructed a dsssifying category for the ER-modd. 

It is remsrkable that extant ER-moddling methodologies have ignored this 
question of commuting diagrams. Typically an analyst spends a great deal of 
time and dfrxrt devdoping a modd and eventually passes it to a progranuner 
to implenient. Often it is important that the resultant program ch^ the con¬ 
straint implied by the commutativity of certain diagrams, but since the analyst 
has not recorded which diagrams commute it is up to the less experienced pro¬ 
grammer to try to reconstruct the intended semantics and to decide whether a 
given diagram should commute! 

In fact, in our experience, searching fx commutative diagrams actually re¬ 
sults in a better ER-modd because it often clarifies the nature of rdationahipe 
and because it provides a test of the modd as it is being devdoped. In the lec¬ 
ture this is illustrated by examides taken from commerdal modelling exe r cises. 

We view the q>ecificati«m of which diagrams commute in an ER-modd as an 
imp<xtant part ot the information modelling methodology and we ate devd< 9 ing 
CASE tods to assist in this process. 

3.2 Classifying categories and lextensive categories 

This section uses a little m<»e category theory than the rest of this p^>er in 
order to accurately devd<q> the notion of classifying categmy. It may be skipped 
by those srith little cat^my theoretic background who ace mainly interested in 
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our practical methodological resulta. 

Universal algebra suggests a better version of the classifying category dis¬ 
cussed above. Often an algebraic theory can be presented in several different 
ways, but there is a single canonical classifying category (up to equivalence of 
categories) obtained by taking any one of the presentations and “closing it up” 
under certain basic operations like taking limits. Similarly we would expect the 
classifying category of an information eyston to satisfy certain basic exactness 
properties and the category described in Section 3.1 is just a presentation for 
the canonical classifying category. 

So, what basic exactness properties are required? We need a terminal object 
/ and arrows I —* A will be used to specify instances of the entity A. We need 
finite coproducts for two reasons. Firrt, entities often have substructure which 
is best indicated by coproducts (so for example in a small retail business the 
entity EMPLOYEE might be the coproduct of the entities DRIVER. SALESPER¬ 
SON, CLERICAL^TAFF luid MANAGEMENT). Secondly, attributes are fixed 
sets (so for example PRODUCT JilO might be the set of all four digit numbers— 
of course moat d these numbers won’t be used at any particular point in time, 
but the rdationship between PRODUCT and PRODUCT JIO allows us to see 
which ones are currently valid product numbem). Thus attributes are usually 

I for scxne n (n s 10000 in our product numbers example). This is tech¬ 
nically very important since the ii^ection u : / —> / allows us to pick out 

attribute number k from which, if the attribute is a key attribute, we can obtain 
information about a particular instance of the cwresponding entity. Finally we 
need pullbacks, both to allow us to compose rriations and to allow us to access 
the entity instances with particular attribute values. 

Furthermore we expect the coproducts to behave well. They should be 
disjoint and universal. Thus in the presence of pullbacks and a terminal object 
we expect our classifying category to be a lextentive eutegorf [2]. 

3.3 The query language 

For use in Section 4 it is worth noting that the internal logic of the lextensive 
classifying category of an information system f<xms a query language for that 
system, llius the standard queries arise as objects of the classifying category. 

Modds of the information system will be lextenrive funcUxs from its classify¬ 
ing category to set. Such functors will necessarily carry the object representing 
a query to the set of recrwds which satisfy the query. 









4 Constraint specification 

We show by example how to model the vast majrwity of the integrity constraints • 

requited in information systems by using ER-moddling with commutative di¬ 
agrams. Srmie examples of the constraints which can be treated include the 






100 - 


• • 






reqairement that in a databaae of studenta, coutaea, claaaea and claaa timea, it 
ia required that no atudent have a claah between two timetabled claaaea; when 
an order ia ddiveted it muat be delivered to the addreaa of the cuatomer who 
placed the order; and when a contractor oigagea in aome work involving a buai- 
neaa reaource there muat be a contract that apedliea that that contractor haa 
the right to uae that reaource. 

Some complicated conatrainta require the uae of the query language outlined 
above (ainoe a oonatraint may apply <Hily to a certain aubentitiea determined by 
a deacription that can be uaed aa a query). 

In the talk we ahow how both permanent (atatic) and variable (dynamic) 
conatrainta can be eaaily modelled. 

5 Process modeUing 

Once a aatiafact<^ ER-modd haa been developed it in common to work out a 
proceaa model for the buaineaa which ahowa the important proceaaea carried out 
by the buaineaa and how they teigger one another. The proceaa model will be 
much lean general than the E^modelainee it will tell ua about how the buaineaa 
ia currently organiaed (and thia may change). 

Ikaditionally the proceaa model ia influenced by the ER-modd, but our new 
methodology for ER-modelliag maken the link explicit. Conaider the diagrama 
in the ER-model which have been apecified aa commuting. Topically each of 
theae loopa repreaenta an individual proceaa and reconciliation cycle. Thia ia 
becanae, in order to update the inlmination ayatem, it ia uaually neceaaary to 
update an inatance at each vertex of the diagram and then finally to check that 
commutativity haa been preaerved. 

Thua to develop the proceaa model oae calculatea a kind of graph dual of the 
ER-modd in which apeedied commutative diagrama correapond to proceaaea and 
common verticea between auch commutative diagrama correapond to triggers 
between the proceaaea. 

Of courae it ia often the caae that an analyat can further refine the proceaa 
modd, but it ia uaeful to note that the greater part of the work of devdoping 
a proceaa modd haa already beoi done if one haa q>ecified the commutative 
diagrama in the ER-modd. 

Once again thia point ia illuatrated with real worid exantylen in the talk. 

6 Views and architectural implications 

The methodology that we have been deacribing alao haa aome aa yet unteated 
implicationa for other aapecta of infixmation ayatem devdopment. 

One particularly difilcult problem in dealing with large information aystema 
ia the preaentation of difiTerent eteva of the ayatem fix difierent uaers. The 







pioblon is eaaentislly on« of how to psrtition the system so that users can see 
a relatively complete view related to the aspects that ue of televsnce to them 
without having to look at the whole system. The recognition of commuting 
diagrams as processes suggests that the best partitioning would be obtained by 
choosing a related group of commutative diagrams. This will be developed in 
work currently in progress. 

This partitioning can be carried further. The growth of very large infor¬ 
mation systems has led to problems of complexity and context retention which 
might beat be solved by allowing business units a certain autonomy with their 
information systems. However, integration of such systems is necessary and 
the complexity of the interaction between subsystems can be dangerous. We 
propose the development of a corporate inf<»mation (ER) model which can be 
used to determine, via commutative diagrams how to partition the system into 
subsystems. This will require duplicating entities that happen to fall into two 
subsystems and providing a message passing mechanism to allow the two copies 
to remain synchronised. However, if t^ partitioning is done well, and we believe 
an analysis based on commutative diagrams will do this, then it is likdy that 
the interaction between subsystems will be quite manageable. 

This proposed architecture for information systems is the aonrce of the name 
Federated Information Systems. 
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Abatraet 

TUs paper pravidaa aa iatiodactiaa to tlw aae of timad CSP ia tear 
aoaiag a^t i^time syatasM. Tka laasaace of tiaied CSP aad tke 
deaotatioaal tiaied faitatea aaodai an r e aiawe d , aad tke aaderiyiaf tka- 
ory ia diacaaaad. Tke algdmic atjde of apadicatiaa ia diacaiaad, foUoarad 
fajr tke bakaaioonl apadficatioa appcoack. A iiia|de tiaud baCet fraaipla 
ia tiaatad aiiaa botk autkoda. 


1 Introduction 

A real-time ^tem ia one whoae oonect c^ieratirm teliea upon aome conaidet- 
ation of ita quantitative timed behaviour; examplea include traffic lighta, gaa 
bumera, waahing machinea, and nuclear power planta. Many apecificatkHia on 
auch ayatema are concemed with coqilicit timing propertka auch aa reqionae 
time or delay time. To reaaon rigoroualy about thm, it ia neoeaaary to be able 
to cafitnre real-time priqiertMa ia a predae way, aad to have aome modd of 
computation that incorporatea time. 

There are a number ot approachea that have been taken to provide a lig- 
oroua foundation for reaaoning about real-time qratema. One ai^roach ia to 
focua attention on apedficatkma, providing a language auitable for capturing 
and reaaoning about real-time requirementa indqiendent of any particular for- 
maliam for deacribing eyatenu. Metric temporal logic [KoySS) and the duratim 
calcttlua [ZHRSl] ate two examplea. Such apecificatk» languagea are generally 
auppocted mathematically by an nnder^ring model, aad may be uaed with a 
variety of qratem deacrqitkHi focmaliama. 

The oompkmentaiy ^iproadi ia to begin with a way of deacribing proceaaea. 
There are many waya tinted ayatema may be deacribed, including timed au¬ 
tomata (A1D91], timed grapha (LyV91], timed petri neta (e.g. [CoR8^), a 
multitude tin^ prooeae algebraa [BaB91, H^91, MoT90, Ch^, Wa^l, 
ReRM, NiS9(^, timed vetaioua of LOTOS [QaF87, BoL91] 

Proceaaea or abatract programa are oftm uaed aa qtecificatkHia in their own 
right, 1^ treating etum aa deacriptiona oS bow a ayatem ia intended to behave. 
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Id this caae, Doothtt eM cnt i il part of Um q>eeificatk>D ia how a ptopoaed im- 
plonenUtion ahould relate to the apeeifyiog |»oceie. It may be required to be 
equivalent with re^Mct to a eet of axioma (aa ia often the caae when the un¬ 
derlying aemantica ia axiomatic), or biaimilar. or teating equivakat (both with 
reapect to an operational aemantica), or equal in aome denotational modd. Al- 
temativdy, aome notion of refinement may be ptefened; a aet of axioma might 
define a notion of refinement, or perhapa aome aimulation relation ahould hold 
between q>ecificatioD and implementation, or the imfdementation ahould paaa 
more teata, or dae their meaninga ahould be rdated by aome refinement in a 
denotational model. 

In addition, the q>ecification-oiiented and the proceae^mented approachea 
are often combined. A progr amming language may be provided together with an 
independent way of talking about pr(^>ertiea. For example, timed grapha may 
be related to temporal logic [ACD93]; an occam-like language [Hoo&l] may uae 
metric temporal logic aa a apedfication language, or a proceaa algebra may be 
uaed in ooivittnction with a Henneeay-Milner atyle logic [HeMSb]. Furthermore, 
any language with a denotational aemantica will aupport q>ecificationa expreaaed 
directly aa propertiea on aubaeta of the denotational moM. 

Thia paper deacribea two ^»proachea that may be taken with the proceaa 
algebra (rf timed Communicating Sequential Proceaaea (CSP). It b^ina by re¬ 
viewing the language, which ia an extenaion of Hoare’a CSP [HoaSS] which in- 
cludea an e]q>licit timing oonatruct. Ita denotational aemantica ia then given in 
terma of timed traoea and timed refuaala. Ute undalying the«y ia reviewed, aa 
it ia thia theory which undetpina all ^>plication of CSP. Finally, two approaches 
to apedfication are diacuaaed. The language may be uaed aa a apedfication 
language in the aenae above, leading to prooeaaea aa ‘algd>raic’ apedficationa. 
The CSP approach to nondeterminiam aa ttndetq>ecification leada naturally to 
a refinement rdationahip between a apedfication captured aa a process, and a 
proposed implementation which should be at least as deterministic. The deno¬ 
tational semantics also makes it possible to capture requirements aa propertiea 
on elements of the aemantic moM. This ia done by specifying acceptable be¬ 
haviour in a typical execution, and then requiring that all poaaible executions 
of a pr(^>osed implementation meet this specification. 


2 Communicating Sequential Processes 

In cmnmon with other process algebras, CSP ia concerned purely with the com¬ 
munication patterns of prooeaaea, abstracting away internal state infivmation 
which may ^ separated from communication behaviour. Iliis abstraction re¬ 
mains aq>propriate for real-time syatems since they ue generally reactive, main¬ 
taining continual interaction with their environment, underlying model. 
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EvMito 

A piocaM M modeUed in (enna of the poaible intenctioiia it can have with ita 
aaviionment. 'niaae intoractiona are daacribod in tanna of inatantaaaoua atomic 
ayncfaraniaationa, or evnata. Thk notion of ^nchroniaation ia conaideted to 
be primitive: both a^nchfonona communication and commnnication by meana 
ahaied memory mey be modeUed in tenna ot it. When a proeeea will be 
cooperating with ita environment for eome length (d time, thia ia modelled in 
tenna of an event at the point where they agree to cooperate. For example, a 
oonple involved in a wedding eervioe will 1^ interacting for eome time, yet there 
ia a predae inatant at which they become married. 

CoanpatntkMinl iikkM 

A number of aaaumptiona are made about the underlying model of computation. 

• Mwrimal ptosroaa A asmchroniaatioo event occura aa aoon aa all par- 
ticipanta are ready to perform it. 

• Maodanal paraUeUam Every proceaa haa a dedicated proceaeor; pro- 
oeaaea do not compete for prooeaaor time. 

• Finite variability No proceaa may perform infinitely many eventa, or 
undergo infinitriy many atate changea, in a finite interval of time. 

• Rnal-tiBie The time ia taken to be the non-n^(ative real num- 

bera. Thua it ia poaaible for eventa to occur at any non-negative real 
time. Since the teala ate denae, om maximal parallelMm eaenmption above 
meana that there ia no lower bound on the time difference between two 
indqMndent eventa. 

The language of CSP 

Let £ be the aet all poaaible eventa. The tenna of CSP are given by the 
following Backua-Naur fbrm: 


S«ep|SWp|P;P|a^P| 

aeqnential 

PDP|PnP|P>P| 

choice 


parallel 

p\A\m\r‘iP)\ 

abatraction 

X\ftX*P 

recnraion 


where a ia drawn from £, A ia drawn from P(£), t from [d, oo), / ia a function 
£ -» £, and X ia drawn from the aet of ptocem variablm. CSP procearea are 
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tcmia with no firae procem vaiiablei (every ptoceis vnhabte it bound by aome n 
expreniott), for which every recuraive expreaaion ia guarded, aa ddined below. 

The ptooeaa Stop repreaenta the deadlocked proceaa, unable to engage in aoy 
eventa or make any pro g reaa. The proceaa 5bp ia the immediately terminating 
proceaa. A aeqaeatiil compoaition P ; Q initially behavea aa P, but once P 
tenninatea, control ia immediatdy paaaed, and the aubaequent behaviour ia that 
of Q. Thua we would expect Scip ;/*=;/* for any P, and Stop ; P = Stop, and 
indeed the aemantic model aupporta theae equationa. 

The prefix ptooem a —• P ia ready initially to engage in event a. It will 
continue to wait until ita environment ia alao ready to perform it, at which point 
it will qrnchroniae on thia event. Once the event ia performed ita aubaequent 
behaviour will be that ci proceaa P. There ia no delay between the occurrence 
of a and the begianing of P. 

An external choice i* □ Q ia initially ready to engage in eventa that either 
P ot Q io ready to engage in. The fint event performed reaolvea the choice 
in favour of the component that wan able to perform it, and the aubaequent 
behaviour ia given by thia component. If both componenta were able to perform 
the fiiat event, then the choice ia reaolved nondeterminiatically. 

An internal choice i* n Q behavea either aaf* or aaQ, bat unlike the external 
choice, the environment cannot influence the way the ^oice ia reaolved. 

The timeout choice P > Q initially bdiavea aa proceaa i*. If an event 
ia performed before time f, then the choice ia reaolv^ in fovour of P which 
oontinuea to execute, and Q ia diacarded. If ito auch event ia performed, then 
the timeout occura at time (, and the aubaequent behaviour ia that of Q. 

The parallel combination P ^||j} Q allowa P to oigage in eventa from the 
aet A, and Q to engage in eventa Acm the aet B. The ptoceaaaa P and Q moot 
aynchroniae <hi all eventa in the interaection A O S of theae two interfocea, but 
other eventa ate performed indep«idently. The aaynchronoua parallel combina¬ 
tion P\Q rqrrea e nta the independent emeurrent execution of P and Q, with 
no aynchroniaation between them on any eventa. 

The hiding operator P\A allowa encapaulation of eventa in the aet A; theae 
eventa are made internal to the proceaa, and axe thua removed from the contred of 
the environment. Since the cooperation of the environment ia no longer required 
for theae eventa, the only participanta will be the componenta of P, and ao the 
maximal progreaa aaaumption tdla ua that theae internal eventa will occur aa 
aoon aa P ia ready to perform them. Hence internal eventa occur aa aoon aa 
they are ready. 

The interface renaming operatora /(P) and f~^{P) have the eflect of chang¬ 
ing the namea of eventa through the alphabet mapping function /. 


llecuxaioai 

A recuraive term §iX • P behavea aa P, with every occurrence of A’ in P 
repreaenting an immediate recuraive invocation. Thua we will have the uaual 
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Uw 

• P = P(^ X • P/Jf] 

We requite that any lecutaive tenn of the fonn §iX • P has that P in t- 
guarded fx AT for aome t > 0. The fidlowing ruka deftne when a timed CSP 
term P is <-guarded for variable X‘, a full discumion of f-guardedness caa be 
found in [DaS93]. 

• For any X and t: 

1. Stop, Skip are (-guarded for X 
i. X \m 0-guarded for X 

3. y ^ X is (-guarded for X 

4. fiX • P ia (-guarded for X 

• If P is (-guarded for X: 

1. a—*P. P\X,/(P),/~'(P), and/iF •PareaU(-guardedforX 

• If P and Q are (-guarded for X: 

1. pa Q.PPQ.P ;Q, Pi Q.P Q are all (-guarded for X 

• If P ia (-guarded for X, and Q is ('-guarded for X: 

1. P> Q m min{(, a -f ('}-guarded for X 

Deriv<ed operators 

A number derived operators may be de&ied. The delay process Wst( (, a 
timed form of 5hip, which does nothing for ( unite ot time and then terminates 
successfully, may be defined by the following equivalence: 

Wait t = Stop > Skip 

The timeout choioe waits for ( units of time, bat the process Stop is unable to 
perform any event, and so the timeout will never be resolved in its favour. Thus 
at time ( control is passed to Skip, which thoi terminates immediatdy. 

A ddayed form tA prefixing may then be defined: 

s-i*P = o—*(Woitt;P) 

After the performance of event a, there is a delay of ( units of time before 
control readies P. Hm original vernmi ot timed (SP [ReRfifi, Ree88] treated 
prefixing as antomatically ddayed, with a constant delay f. Tins would now be 
written as a -i-* P. 
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G«iMnliiiiig choice to eUow infiiiite choice* i* often luefui. The pi^ choice 
* : A —» P, ia initially willing to perfonn any event from let A, and lemain* 
to willing until *0010 event ia choaen. It* aubaequent behaviour, given by P„ 
ia dependent upon that event. Uaing thia <^>erator, an input conatruct can be 
defined, allowing the input on channel t« of any item a in a aet if: 

«?* ; if —. Q(*) = arm.Jf—.P. 

where the aet in.Jf = {ia.m | m € if} and Pm.« = QC*") for every m € if■ 
The atomic aynchroniaation event* here are of the form ia.m. 

Infinite nondeterminiatic choice may alao be defined. The proceaa Pj 
for aome indexing aet / may bduve aa any of ita argument* P ,. Thu* for 
example a nondeterminiatic May over aome interval I may be defined; 

WtHI = 

Thia may delay for any time drawn from the interval I. If each of the Pi ia 
t-goarded for X, then ao ia their infinite ehoiee. Furthermore, if P ia (-guarded 
for X, then tFlail /; P ia (( + inf /)-guard<^ for X 

Finally, it ia atraightforward to generalise recursion to mutual recursion (fi¬ 
nite or infinite); for further details aee [DaS93]. 

A mathematical model 

Notation 

The variables ( and a range over the set of non-negative real number*. 
Variable a ranges over (R*** x S)*, the finite aequences of timed event*. We alao 
use K C R-^ X S. 

We use the following operationa on sequences: #« is the length of the se¬ 
quence s; denotes the concat e nation tt and s*. We define the begin¬ 

ning and end of a sequence of timed events as follows: leyin({((, a))'^s) = (, 
ead(s^(((, a)} = (, and for convenience iegin{()) — 00 and ei)d((}) = 0. The 
notatirm ■< s* means that si is a subsequence of »%, and sj < tt means that 
Si is a prefix oS tt- The following projections on sequences are defined by list 
comprehension: 

s<( = {(a, a) I (a, a) «-*.*<() 
s«( = {(a, a) I (a, *)«-#, a < () 
s O ( = {(a, a) I (a, a) «- #, a > 1} 
sT/ = ((a,*)|(a.*)-s,a€/> 

= ((«.«) I («.•)*-».•€ it) 

#\i4 = ((a,s) |(a,s)«~*.sf(i4) 

,_( - ((a-(,a)l(a,*)*-#,a>() 


ifo 


» + t = {(« + <,«) I («,•)«-») 

9trip{$) = {• 1 («, a) — $) 

a(a) = {.|.rM?t{» 

Wc alao dcSne a auinbar of piojectkuia oa aeU of timed eveata: 

K<J< = {(a,a)|(a.a)€H,a<f} 

Kt>< = {(a,a)|(a,a)€».a><} 

KfA = {(a.a)l(a,a)€».a6i41 
«-< = {(a-<,a)|(a,a)€K,a>«} 

<r(K) = {a|(«.a)€K} 

«d(K) = aap{a|(a,a)€K} 

We willuae (f,M, a) — t aa aa abbieviatioa for (a —(,M —t, mas{0, a — (}), aad 
ead(a,K) for iiiax{aad(a), ead(M)}. 

Obeeraatiotu 

TbprovideadeaotatioaalaeiiiaatieafoctlteCSPopenton, weconatruct amodel 
of poaaible meaaiagi for pioeeaaea. Hue arill be givea ia terms of obaetvationa 
that may be made of prooeaaea aa they execute. We fint define a aet of poaaiUe 
obaervationa OBS, aad then aaaociate arith each [^oceaa the aet of obaervations 
that mqr be made it. Prooeaaea are oonaidered to be the aame if the aaaociated 
aeta of obaervations ate identical. 

Any observation ci an execution ot a prooeaa must include a record of thoae 
events that arere performed, and the timea at which they occurred. A timed trace 
is a finite sequence of timed events, drawn from the set [0, oo) x £, such that 
the times associated with the events appear ia aon-decreaainA order. Formally, 
we define the set TT of all poaaible timed traoea as 

IT = {a € ([0, 00 ) X E)* | {(I,, a^ ). (Is, a,)) ^ s =>1^ < I,} 

Timed traces provide much information cmoeming the possible executions 
of prooeases. But theae systems axe reactive, and so we are also interested 
in knowing when they will be able to interact with an oiviicHuneat which is 
ready to perform certain events, and when thsy will not be able to do so. 
Although this informatioo may ^ deduced from the trace information in the 
case of deterministic systems, trace information is not sufficient in the case of 
nondetenninistic systems. For exaaq>le, the traces of 

a —» Stop and Stop n a —* Stop 

are the aame, yet the first must always reqmnd ia aa environment in which a 
is ready, whereas the second may not. 




We will therefore abo record timed refusal information. A timed refusal is 
made up of those events (with times) which the process refused to engage in 
during an execution. Our assumption of finite variability allows us to simplify 
the treatment of such sets. Since a process will continue to refuse an event 
while it ronains in the same state, and since only finitely many state changes 
are possible in a finite time, we may consider a timed refusal as a ttep function 
from times to sets of events, containing the information about which set of 
events may be reused at which times. 

Refusal information at a time t is considered to be subsequent to the events 
recorded in the trace at that time. For example, in the process 

a —► Stop □ 4 —» Stop 

the event 6 cannot be refused b^ore any events have occurred. But at the 
instant s occurs, the possibility of 4 is withdrawn and so it may be refused from 
f onwards. Thus we consider the step function to be closed at the lower end of 
a step, and open at the upper end. Observe that once a single a hss occurred, 
then it too may be refused from that instant onwards, since no further copies 
of s are possible for the process. 

Refu^ sets are formally defined as those sets of events which can be ex¬ 
pressed as finite unions of refusal tokens; this captures the required step struc¬ 
ture; 


XTOJ^ = {[4,e)x/l|tf < 4 <c<ooA ACE} 

RSET = {yR|li€F(iirOfir)} 

A single observation will consist of a timed failure, made up of a trace s € 
TT, a refusal set K € RSET, and a time f < oo which is the duration of the 
observation, and must therefore be greater than or equal to all times mentioned 
in s and K. The trace and refusal ace both recorded during the same execution. 
The information that (s, K, () is an observation of P tells us that P has some 
execution up to time ( during which the events in s were performed and the 
events in K were refused. In contrast to the untimed failures model for CSP, this 
refusa^ :ontains information concerning events that woe refused before, during 
and after the performance of s, wheress an untimed refusal set contains only 
information after the end of the trace. 

There is also another, contrapositive, view of the iaformstion contained in 
(s, K, f): as a partial record of an e]q>«siment on the process P. We may consider 
K as containing some information about what the environment of P was ready 
to perfwm, and the trace s may be considered as the response of P in this 
environment. For example, if we place the process Woit 1 ; s —» Stop in an 
environment which is ready to perform a at all times between 0 and t, then 
we would expect to see the event s occur at time i. This corresponds to the 
observation (((/, s)}, [fi, fi) x {s}, t). This is also expected under the previous 





view: befoie time 1, the event a is not possible, and so it nuQr be refused. At 
time 1 , the event a occurs, and uy further occurrences are not possible; since 
the refusal at time 1 is subsequent to the trace, we allow a to be refused at 
time 1 , and from that time onwards. Thus the event s may be refused over the 
interval [0, S) provided one copy of it is performed at time 1. The information 
that a is also refused at time 1 simply states that the process may refuse to 
engage in further copies of that event. 

Our set of observations is thus given by 

OBS = {(«,«,<)! «»d(e)<<Aead(lt)<<} 
and processes will be associated with subsets of OBS. 

The model 

We identify a number of healthiness conditions, or axioms of the model TMr 
which we would e]q>ect any set of observations consistent with some process to 
meet. Thus the timed failures model TMr i* defined to be those subsets S of 
OBS satisfying the fi>llowing conditiona: 

1 - (0.{}.0)€S 

e. (s^s', K, 0 € 5 =»• (S, K <€1 *e^a(s'), <) € 5 

S. ($,R,t)eS aW €RSET ^»fC^^(s,W,t)£S 

4. (s,K,I)€5=> 

3W€RSET» K£K'A(s,K',f)6 5 

AV(s,s)€[d,Ox55* 

(a, s) ^ R* a*- (s <J s'^{(s, s)>, R' <J a, s) e 5 

A 

(a > d A “130 d s ((a - c, a) X {s} C R*)) 

=> (s « a^((a, a)),K o a, a) € 5 

5. Va,3aeVs,R*(s,R,a)€5=»'#s<n 

6. (s,R, ^ ^ Va > en4(3,H) • («,R, a) € 5 

Axi<xn 1 states that the empty observation must be possible. Axioms 2 and 3 
state that if a particula.' observation is possible, then observations containing 
less informatkm must also be possible. Axirun 4 essentially states that any event 
must be possible or refusible: that there must be a ‘complete’ extension of the 
observed refusal set such that any timed event n<A in the complete refusal could 
have been perfmmed. Aximn 5 enforces a speed limit on processes, which implies 
finite variability. Axunr 6 states that the same traces and refusals may be 
observed however long the process is watched. This last axiom inq>lies that the 
duration information is redundant; the possible durations may be deduced from 
the trace and refusal informati<m alone. However, we retain this information as 
an aid to specification. 
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The semantic function Tt 

We provide eemuitics only for the buic terms of the Isingus^ without free 
vthnbles; this may be lifted in the usual way PaS9^ to the language containing 
free vanabka. 

The aemaatic function 

Tt ; TCSf — TUr 


is defined by the following set of equations: 


f’riStopl 

^TiSkif] 


^TiP.Q] 


{(s,ft.<)l« = 0} 

{({).«, 01 >/«»(«)} 
u 

{({(«.v0>.«.0l<>«>'>•)> 


{(*.k.OIv'^‘^(Oa 

(s. ft u ([d. Ox {%/})) 


V 

s = »p'~'*Q A ^ ^(v) 

A {SQ, K,«) - a € /‘tWI a ietm(»Q) > • 
A (*p'~'{(«. vO). ft O « U (I<>. «) X {vO).«) € 




{(0.«.0l««<^(ft)} 

{({(a, a)rs. ft, 01 a^or(ft4Ja)A 

(s.ft,0-«€^TM} 


^rIPD<?l s {(0,ft,OI(0.ft.O€J^Tli*in^T(<?l} 

u 

{(s.ft,01 • <> A (s,K,0€ ^tIPJU^tWJ 

A 

({), K <] *^(s), ietin{i)) € ^t[P\ H 
TT[PnQ\ = Tt\P\K)Tt\Q\ 

Tt\P>Q\ = {(s,ft,0l»er"(0<»A(s,ft,0e^T[i’l} 

u 

{(s, ft, 01 *«#«(•) > a A (0, ft <1 a, a) e ^t{P] 
A 

(.,K,0-«€/^t[<?1} 


^tIPaWbQ} = {(•.«.01 3ftp,ft<j* 
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Kf (i4U^) = (Ri*r i4)U(R« r B) 

A< s « f (AUi^) 

A(fr ^kp,o€^tIj»i 
A(*r i».Rg.O€^TWl} 

frlPiQ] = {(•>>*■ 01 3*Pi* 9 • »€»#»|»oA 

(#P,R.O€^TmA 

(,<,.R,0€^tI<?1} 

wkeie <p I (Q is the aei of timed tnoee consisting of nn intetlesving of tp and 

$Q. 

^t(P\A 1 = {(s\A,R,f)|(..RU((fl.«)x>4),06J^Tm} 
rTV(P)\ = {(f(*).R.OI(«.r^(«).‘)€^T(f»l} 

^tU-Hp)] = {(*.«.<) I (/(s)./(R).<) 6 ;rr[f»i} 

The infinite choice constructs sre not always wdl defined, since axiom 5 
might be violated if there is no q>eed limit which applies to all the arguments 
simultaneously. We say that a set of processes R is unifoanly bounded if the 
union U ^ Q OBS meets axiom 5. In such cases, the following definitions apply: 

•€/ 

rTle:A~-*PsJ = {(O.K.OMno(«) = {}} 

U{({(s,s)rs,R,l)| 

s € X A i4 n o(R <!«) = {} 

A(s,R,«)-<€^^Tin«)I} 

A full treatment of these operators requires a more complex model [MRS92, 
SchfOa]. 

In order to give a meaning to recursive ccmstructs, the intention is that the 
recursive process ftX • P should be a solution of the equation X = P. Thus 
we also allow recursive equations as process definitions; the equation P = /’(/’) 
defines P to be the process ftX • FiX). 

It is by no means clear why such equations should have scdutkms at all, and 
we must impose some structure on the modd in order to guarantee that they 
do. A distance function i between processes is defined: 

S<% = {(s,R,I)€5|<<s} 
iiSuSn) = inf{f “* I < < = 5s <I 0 

Thw the longer St and 5t are indiatinguiahable, the cloaer together they are 
under i. In foct, the diatanoe functicw is a metric, and the q>aoe {TMr, d) is a 
ooa 4 >lete metric q>aoe [ReefiS]. 






115 







Now define n function /'()') to be <-conatructive if 


5i < * = 5t < « F(St) <(« + <)= F{St) <(« + <) 

If n term P ie <-guuded in X, it foUowi that tbe reeulting function on X 
coneeponda to u (-conatructive function F on TMr (for nay inaUntintion 
the other ptoceaa vatinblea). But thia meaaa that F ia a contraction mapping: 
that ia, 

3a < I .V5i,5, . d(f(S,)./’(S,)) < ai(Si.St) 

where a auitaUe a ia fi~*. Thua we conclude from Banach’a fixed point theorem 
[Sut75] that the function F has a unique fixed point in the complete metric 
apace (TJfF.d). 

It is now possible to give a meaning to a lecunive term of the form ftX • P 
for P f-guarded in X with t> O.U P contains no free variables other than X 
then we have 

rTVpX*p\ = The unique fixed point of the function correqwnding 
toAXeP 

This ^proach may be lifted to terms P containing other free variables in the 
usual way, by evaluating the lecuiaion while the values of the other variables 
remain fixed (see [DaS93]). It also extends easily to mutual recursion. 

This semantic modd cwresponds in a natural way to an operational testing - 
approach [Hen88] to identifying and distinguishing processes. An operational 
semantics of the language has been given (Seh92b] in terms of a timed transition 
system. A test is a CSP process T. A process P may pass a test T if there is 
some execution given by the operational semantics of {P jjlls T) \ £ for which 
T passes through a ‘success’ state. Two processes are equivalent under may 
tfiting if the set of tests they may pass are exactly the same. Then it turns 
out [Sch92b] that this notion of equivalence ia the same as equivalence in the 
model TUr : processes ate equivalent under miqr testing precisdy when they 
have exactly the same timed frdlures. Thus the denotations! semantics is fully 
abstract with te^>ect to the operational semantics. It follows that timed fulures 
equivalence is the same as untimed and timed trace congruence. 

3 Specification 

3.1 Process algebra specification 

As observed earlier, a common approach to specification is to use processes 
themselves as descriptions at requi^ bdiaviour. By considering nondetermin- 
ism as undenpecificatioa, we consider an imjdementation or refinement of P to 
be a process Q which bdiaves as P but which may be more deterministic; some 







of the Boodetenniiuem in P may be raolvad in Q. Thus P is refined by Q if Q 
has fsarar behaviours than P. This is written PQ Q, and defined 

PQQ o 

A process Q meets a qMcification P when P £ Q- 

Consider for example a specification for cslculatinf a square root of |z|: 

SQXT = n?t ((ou<!(-t->/|x|) —• Skip) n (eu<!(->/)z|) —► Skip)) 

An internal choice is made ss to whether to ou^t the positive or the negative 
square root. If this q)ecificatkm process is suitable in a particular context, then 
the fotloering refinement that is guaranteed to output the amative square root 
will also be suitable: 

/fSQXT = in?*-i. eul!(-Vl*l) 

The environmoit of the |«ocess cannot know whether the internal chmce is 
reaotved at run-time, or at compilo-tiiiK, or by the iiiq>lementor of the process. 

The next qMcificatkm is for a one-place buffer which takes between one 
second and eight seconds from inputting a message to enabling it for output. 
The next input may follow output immediately, and must be possible within 
five seconds of the last output. 

B = im?s^tVaH[J,S};»Mi!z—^W»itie,S);B 

Thus the process Q = m?r eaf !c Q meets this specification, since it 
is a refinonent of B; any possible bdiaviour of Q m also poasiUe Ibr B, and 
therefore acceptable. 

As a larger example we will consider the following more complicated require¬ 
ment: we wish to specify a process modeling an a-place unordered buffer of 
type T, which has certain constraints on iiq>at, output, and throughput: 

• niere must be at least 2 seconds between consecutive inputs; 

• It must be ready to accept input no mote than 10 seconds since the last 
iiq>ut (if not full). 

• There must be at least 4 seconds between consecutive outputs; 

• It should always be ready to output within 10 seconds of the last output 
(if not empty). 

• Any particular item must be availaUe for oo4>ut exactly $ seconds after 
it is input, subject to the other constraints. 
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The fint two ooutrainU impoee tower and upper boonda on tlie timea at wiiicii 
the ptoeeaa ahould enable input. There are aimultaneoualy captured by the 
following ptoceaa: 

IN = i»?t:T—*WaH[t,10]-,IN 

Similarly, the bounda impoaed by the nesct two conatrainta are captured by 

OUT = out?* : T —. (Fait [4, JO]; OUT 

Obaerve that OUT ia prepared to allow any event ot the form out.m; it ia not 
conatraining the nature of the output in any way, it ia only conatraining the 
time at which output beeomea poaaible. 

Finally, the fifth conatraint nuy be captured for a buffer <rfaiae one aa foUowa; 

JBUFF = Miz ■. Tomt\x—* IBUFF 

An unordered buffer of aiae a may be oonaidered aa a combination of a bnffera 
of aiae 1 operating independently. 

*BUFF = 

where |||*^^ Pi =: Pj | Fj | ■■■ | Pa. Since the interieaving <^>eratoc | in 
aaaociative*(i e. F^tI(P I Q) I A] = T^t{P | (C I ff)]). thia ia well defined. 

The full q>ecification may then be given aa the parallel combination of theae 
three apedficationa: 

SPEC = (W<..rlU.rOCrr)^ .TUvW.TlIto.Tuoat.T *EUFF 

The event aet aaaociated with each component ^>ecification oonniata of thoee 
eventa that the apedfication ia ocmcemed with. The proceaa IN impoaen no 
conatrainta upon the eventa in ovt.T, ao theae eventa do not i4>pear in ita 
interface aet, indicating that they can occur without the involvemrat of IN. 
Obaerve abo that it ia the conatraint impoaed by nBUFF that preventa input 
when the buffer ia full, and ou^ut when empty; the proceaa e a IN and OUT ate 
not concerned with theae aapecta <ff the buffer’a behaviour. 

The cmnpoaitional nature of the denotational aemantica allowa for a compo- 
aitional treatment of refinement: if refinementa of each of the apedficatkma IN, 
OUT, and nBUFF are independently found, then their parallel compoaition 
will be a tefinemmt of the entire ape^cation SPEC. Thia compoaiticmality ia 
eaaential for largewcale verification. 

3.2 Behavioural specification 

An alternative ^>proach ia to deacribe directly thoae obaervationa that are ac- 
eq>taUe, in terma ot atatementa about traoea and refuaala. A apedfication in 







Uiia style will be s piedicUe S oa obeervattoos or beheviottis, and a pioceM 
P will meet a spediicatioa if tbe predicaie holds for every observation in its 
semantics. In this case, we write P sat S, which it defined formally as follows: 

Pant 5 = V(s.K,0€/’T(i*l*5 

This approach allows for a variety of levels ot distraction, since the spec* 
ification S may be concerned only with some selects of behaviour, and may 
ifnore others. For eiample, an nntimed safety specification aeiociated with the 
sqnaie-root specification SQRT above is that spy answer given must be correct 
with respect to the iiqint: 

SJ = Vs,f •({ta.x,eat.f))< »<fty(») ^ y* = * 

This specification has abstracted away any timing information, and is concerned 
purely with functional correctness. Tuning properties are addressed by consid* 
ering the times at which events occur. 

St = Vx,y,a/,as •(((ai,ra.x),(us,ead.x)) ^ «)=> Si< as 

The specification St states that there must be a delay of at least one second 
between any input and any subsequent output. 

All specifications that simply consider tl^ trace $ component of the obeerva* 
tion ate safety specifications, in Lamport’s sense that ‘nothing bad will happen*: 
a constraint is imposed on which events ate permiaaible and at what times. A 
process can fail such a specification only by performing some undesirable event. 
In particular, the deadl^ process 5tsf will imet any satisfiable specification 
concerned simply with traces. A square toot program could ensure it never gives 
the wrong answer simply by never giving any answer. 

lb spedty that a process should make some progress, it is necessary to 
consider the refusal information, lb say that the process is initially willing to 
accqit any input, we require that it is unable to refuse input events to begin 
with: 

St = « = o^»*rn<r(R) = {} 

To say that output must be available within one second oi input we write 

S4 = '¥u,x •foot(t f in.rus«<.r) = (s,fn.x)^ esl.r g ^R> (s + i)) 

Recall that we also have an alternative view ct refusals, as a partial record of 
what the environment of the process ofiered. The specification S4 tauy also be 
interpreted as saying that if Uie last event obeerved was smne input at time a, 
thu the environment cannot have been willing to accq>t output any time after 
M+1. Hiis is equivalent to the previous reading because ofthemaxiiiial progress 
property: if the environment had been willing, then all involved parties would 




have been ready and the output would have occuned. Read oontrapoeitively, 
S4 statee that if the enviioninent had offeted to accept output, then eomething 
would have occurred after that laat input (i.e. (a, tu.x) would not be the foot 
of the trace «). 

Thie view of refuaals alao aupporta an aeenmption/commitment style of spec¬ 
ification. It is often natural to apedl^ what a process is ex p ected to do, and 
then make explicit any assumptions about the environment. Fbr example, the 
requirement Uiat the three events s, k, and e are performed sequentially before 
time 1 is captured as foUows: 

Cl = < > / =* {s,k, c) i *<np(< < i) 

If the observation lasts for at Imst one second, then the sequence (s, k, c) should 
appear in the trace by time /. 

No CSP procem will be able to guarantee this spedfication unconditionally, 
since it could always be placed in an uncooperative environment which prevented 
theae events from happening. But such a sped&cation is generally made with 
the assumption that t^ events in question are under the control of the process 
required to perform them. This may correspond to an assumption t^ the 
environment is always willing to go along with the process with regard to these 
three events. This aasnmptiott is expressed as AI: 

A1 = [d.O 

Then the lesulting specification on a process is aiinply AJ ^ CJ. This is met 
by a process such as a —» k —* c —Step; observe that this process does 
not meet the 4 >ecification Ci, since ({),{},/)isapaaaibleobaervationof it for 
which CJ foils. 

As another example, consider the following q>ecification on a buffer: 

SS = [O,t)x0*t.TCH^ 

(V a, * • («, m.r) 6 s A u J < t ^ J, eat.*) € s) 

Here the assumption about the environment is that it is alarays arilling to accq>t 
output: for the duration t of the observation, all output events are present in 
K, indicating that the environment was willing to accept all such events. Under 
this assumptkm, we require that for any time a at which a message * is input, 
a corresponding output must ^>pear in the trace one second later (provided the 
observation lasts th^ long). 

For the purposes <ff comparison and cmtrast, we return to the five reqnire- 
menU on the a-place unor^eted buffer. These ace respectively render^ as 
bdiavioural specifications below. We must also make the a-place requirement 
■T plirit , in BO. Observe in B1 and BS that the lower bound of the desired 
req>onse time is captured by a trace q>ecificatioa stating that events cannot 
mppeax too close tof^er; these are safety properties. The u|^ bound re¬ 
quirements given by Bt and B4 must be captured by an assertion about the 







rairtiBMi of Uw proceM to oagafe in further evunts by u particular time, ex- 
ptoHad iatemw^reftiaalB. We ebaotiaiiat that aoiiie event muat be perfortned 
(uahm we make an eaewmptioe about the environment), aince a prooeaa doea 
not have aote corral over the parfcrmanoe of eventa. 

BO. d < #(a r ia.r)- #(a f eaf.r) < a 
BJ. Vue#(af ta.rt(«.« + f))</ 

Bt. (#(a r «. T) - #(< r eel. r) < a) =0 

ta.rne(M> ead(a f •a.r)+ld) = {} 

BO. Va.#(ar •irf rT(a.a + ^))</ 

B4. (#(r f ta.r)- #(a f eaf.r)> tf) => 

eaf.rn<r(K>ead(ar eaf.r) +id) = {} 

BO. ((» + 5) r ta.r) be&rei..^ (a \ eaf.T) 

where $ befhi«M,Mt ** holde if every ou^ut event eaf .m in a' haa aome cone- 
apondint input event tn.m in a. It may be defined aa fallowa: 

a befiireM.M< •' *•#(•' I •«<) £ *•#(* i «*) 

where (a i c) ie the aequence ctf maaia<ea m that appear in a on channd c (i.e. 
when e.ai in in the trace); and iaf(a i c) ia the correapondins bag at meaaagea. 

Thia laat apecification iUuatratea a feature of the model-baaed aiq>roach: 
that we alwaya have the opportunity to provide new definitiona appropriate for 
particular applicationa. 

Thua we would expect our algebraic q>ecification prooeaa SPEC to meet the 
conjunction of theae requiiementa: 

SPEC ant BO \B1 S BO BO SB4 ^ B5 

VerifieakioB 

The oompoaition nature of the denotatkuial aanantica allowa for a q>ecification 
oriented proof ayatem for eetabliahing claima at the form P ant S. A proof 
obligation on a oompound prooem P can be reduced or factored into proof 
obligationa on ita oomponenta. 

fbr exanqde, the following rule ia given for lockatep paralld compoaition: 

Pt ant St 

Pg ant 5a 

VK e [(3Ki,Ma e K = K/ UKa A 5i[Ki/M] A 5a[Ha/K]) => 5] 

Pt ijlli; Pg ant 5 



Thtti to prove Uwt e parallel combiiutMa meets S, it is sufficient to find Si 
and S$ which the components meet nnd whose combination implies 5. 

The proof system, containing a rule for each operator, is given in [DaS90]. 
The soundness of the rules fi>llows from the semantic equations. The rules 
are also complete, in the sense that if the conclusion is true, then there are 
specifications Si and 5t anch that the an t eceden t s are all simultaneoualy true. 
The rule for tecuiaion is also straightibrward: 

3X*XaAtS 

V.Y • (X snt 5 => f ant 5) 

OtX»P)MmtS 

Its soundness fdlows from the fact that any predicate on processes of the form 
snt 5 is closed in the metric space Ttfr, for any spe^cation 5; and that 
any contraction which maps a non-empty clooed set into itself has its unique 
fixed point in the dosed set. 

Current and future research 

Although an operational and denotational semantics for timed CSP have been 
given and shown to be equivalent, there is not yet an equivalent axiomatic 
semantics. There are many laws for transfixming procem descriptions [ReeSS], 
but these laws do not form a complete set. An approach similar to that taken 
in (Che9^ appears promising, and may complete the trinity of complementary 
aemaaticiq>proaches. This would give more badtnp to the algebraic specification 
style, since the claim PC Q might then be established by equational r e as onin g, 
as it is equivalent to the daim i* = P n Q. Different q>edfication styles might 
be apiwopriate for different parts of a devd^ment, and could be used in tandem 
since they are unified by the underlying model. 

Specification macros [Dav9^ to make behavioural specifications m«e palat¬ 
able are under investigation. Specification clichds ate captured at a higher levd 
to make requirements easier to read and understand. Fw example, the spec¬ 
ification S4 stating that output should be available <M>e second after input is 
tendered m at ( ^ suf from< -f /■ 

Machine assisted verification is another area of great interest, both in terms 
of support for ptoofr that processes meet behavioural spedficatioDS, and alto 
in terms at the model-checking approach fm algebraic q>ecifications. The latter 
approach is based upon operational semantics, and the states of a pr(^>osed 
impleiikentation are expfored and checked against corresprmding states in the 
specification. 
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Full Abstraction and Expressiveness 
in Structural Operational Semantics 

(preUnunary npcrt) 


R.J. vu GL&bbeek* 

Comiwtar SdcMce Ospartmaat, Stuionl Uaivenitjr 
SUafiKd, CA M30S, USA. 
r*gtc«. atMif ord. •dtt 


Thia p«p«r expkxw the coniMction between aemnatic eqaivnlencee for ccmciete eequential pro- 
ceaees, lepreeented by menna of tranaition syatona, and fonnata of tranaition ayatem apecifica- 
tiona uaing Plotkin’a atructural approach. For aeveral equivalencea in the linear time - branching 
time apectrum a format ia given, aa general aa poaaible, auch that thia equivalence ia a congru¬ 
ence for all operatora apeciiiable in that format. And for aeveral fonnata it ia determined what ia 
the coaraeat congruence with reapect to all operatora in thia format that ia finer than partial or 
completed trace equivalence. Finally for aome of the fonnata a amall language apecified in thia 
format ia provided auch that any operator apecifiable in that format can already be expreaaed 
in thia language. 


1 Preorders and equivalences on labelled transition systems 

Deflnitkm 1 A labelled intuition ayatem (ITS) ia a pair (P, —with P a set (of proeeaaea) and 
—►£ PxAxPf(HrAatet(of ocftona). 

Notation: Write p -i* q for (p,a,q) €—► and p for iq € P : p 

The dements of P represent the processes we are interested in, and p q means that process p 
can evolve into process q while performing the action a. By an action any activity is understood * 
that is considered as a conceptual entity on a chosen levd of abstraction. Different activities that 
are indistinguishable on the chosen level of abstraction are interpreted aa occurrences of the same 
action a £ A. Actions may be instantaneous or durational and are not required to terminate, 
but in a finite time only finitely many actimu can be carried out (i.e. only diaerete systems are 
considered). 

Below several semantic preorders and equivalences will be defined on processes represented by 
means of labdled transition systems. These preorders can be defined in terms of the obaervationa 
that aa experimentator could make during a session with a process. 

Definition 2 The set of potential obaervationa over aa actim set A is defined inductivdy by: 

T £ Ox. The trivial observatUm, obtained by terminating the sesaon. 

09 € Ox if 9 € Ox and a € A. The observation of aa action o, followed by the observatim 9. 

X € Ox for X C A. The investigated system cannot perform further actions frmn the set X. 

X € Ox fatX QA. The investigated system can now perform any action from the set X. 

A<c/ ^< € Ox if 9< € Ox for all i C /. The systems admits each of the observations 9,-. 

-•9 € Ox if 9 € Ox* (It caa be observed that) if cannot be observed. 


*This woric ww supportud by ONR sad« grant number N00014-92-J-1974. 
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D«Anitioii 3 Let (P, —>) be a LTS, labelled over A. The functioa Oa ■ P ) of obttrvatiotu 

of a process is iadactively defined by the clauses below. 

{T)T €Ox(p) 

(o) € Oa{p) if p « a (^ € Ox(«) 

{F) X € Oa(p) if pfor o€Jf 

(fl) X €OA(p)ifp-^ foro€X 

(A) Ai€/ € OaIp) if ¥>i € OAip) for all t € / 

(-’) -»p € Oa{p) if Oa(p) 


As the structure of the set A of actions will play no role of significance in this paper, the cor¬ 
responding index will from here on be omitted. Below several sublanguages of observations are 


the (partialj trace observations 
the completed trace observations 
the failure observations 
the readiness observations 
the failure trace observations 
the ready trace observations 
the simtdation observations 
the competed simulation observations 
the failure simulation observations 
the ready simulation observations 
the bisimulation observations 
the n-nested action observations 
the n-nested trace observations 


For each of these notions N, O/tip) is defined to be 0 {p) n ‘P(©iv). 


defined. 


©T 
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V>::=r| 

at 1 A 
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at 1 X 
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at\X At 

©Jtr 
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©a 

9 >:;=T| 

atlKttVi 1 ->t 

©,A 

T 1 

at it 6 ©«^ for some m < n) 1 A.e/ V>i 1 -'t 

©nT 

^ T 1 

“tfr 1 Ai€i Vi iVi € ©mT for some m < n) | -’tfr 

©«5 

(fi :;= T1 

1 A<6/ Vi 1 -■V’ (V* € ©«5 for K>me m < n) 


Deflnitioii 4 Two processes p,^ € P are N-equivalent, denoted p 9, if On(p) = Off(q). 

p is N-prequivaient to q, denoted p Cjy 9, if Ojv(p) C Otf(q). 

In Van Glabbeek [ 2 ] the observations above and the corresponding equivalences are motivated 
by means of testing scenarios, phrased in terms of ^button pushing experiments’ mi generative and 
reactive machines. There it is also observed that restricted to the domain of fimtdy branching, 
concrete, sequential processes, most semantic equivalences found in the literature Hhat can be 
defined uniformly in terms of action rdations’ coindde with one of the equivalences defined above. 
The same can be said for preorders. Here concrete refers to the absence of internal actions (r-moves) 
or internal chmce. In order to facilitate the connections udth other work it is worth remarking that 2 - 
nested trace equivalence is also known as possible-futures equivalence, and on the mentioned domain 
readiness equivalence cmnddes with acceptance-refusal equivalence, failure equivalence cmnddes 
with Hennessy and De Niccda’s (must) testing equivalence, failure trace equivalence cmnddes with 
Phillips refusal (testing), and ready trace equivalence cmnddes with barhed equivalence and with 
exhibited behaviour equivalence. In order to clarify a few more relations, the fdlowing relational 
characterisations of certain equivalences may be hdpfuL 


Definition 5 Let (P, —») be an LTS. A ready simulation is a rdation JZ C P x P satisfying 
-pRqAp-^p^ => 39': 9 q'Aj/Hq' 

— pRq A p ^ 9 " 9 ^ 

Theorem 1 p Cjt5 9 iff p C/'s 9 iff there is a ready emulation R with pRq. 
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Proof: “p Eji5 q ^ p Qrs q” w trivial. For “p Cjps q there is a ready simulation R udth pRq” 
it suffices to establish that £if5 is a ready simulation. 

- Suppose Ors(p) Q Ors( 9 ) “id p p*. I have to show that € P with q q' and 

Ors(p^) Q Orsi^)- Let ^ be € P | ^ 9' A 3 (p,. e OrsiP^) - Orsi^t)}- Then 

a Af-sQ Vr € Ofs(p) Q OfsM, so there must be a 9' € P with 9-^9' and 9' ^ Q. 

- Let 0 (p) C 0(9) and p Then {a} € Ors(p) Q Ofs( 9 ) »nd hence 9 

Finally I have to prove that for R a ready simulation one has pRq => ((p€ Ors(p) => <p€ Ojis(q)). 

1 will do so with induction on (p. 

- Suppose pRq and € Ons{p). Then there is a p* € P with p p' and (p € Onsip')- As 

.R is a ready simulation, there must be a 9' € P with 9 9' and f/R^. So by induction 

V € Ojis(f'), and hence 09 € Ons(f). 

The cases that (p is T, X, X or Aie/ are straightforward. □ 

Definition 6 Let (P, —») be an LTS. A simulation is a rdation R C P x P satisfying 

- pRq A p pf => 39': 9 9' A ]/R 4 

A bisimtdation is a symmetric simulation. 

Theorem 2 p C5 9 iff there is a simulation R with pRq. 

P Qb 9 iff p =0 9 iff there is a bisimulation R with pRq- 

2 Structural Operational Semantics 

In this paper V and are two disjoint countably infinite sets of variables and nnmes. Many 
concepts that will Appear are parameterized by the choice of V and Af, but as in this paper this 
choice is fixed, a corresponding index is suppressed. 

Definition 7 (Signatures). A function declaration is a pair (/, n) of a function symbol f and 
an arity n£li. A function dedaraticm (c, 0 ) is also called a constant declaration. A signature is a 
set of faction declarations. The set T(I)) of terms over a signature £ is defined inductivdy by: 

» V C T(£), 

• if (/,n) € £ and ti,...,t. € T(£) then /(ti,...,tn) € T(£). 

A term c() is often abbreviated as e. For t € T(£), V(t) denotes the set of variables that occur in 
t. T(£) is the set of closed terms over £, i.e. the terms t € T(£) with V(t) = 0 . A S-substitution c 
is a partial function from V to T(£). If o is a substitution and 5 any syntactic object, then 5 [(r] 
denotes the object obtained from S by replacing, for x in the domain of <r, every occurrence of x 
in 5 by <r(x). In that case 5 [o] is called a sid/stitution instance of 5 . 

Definition 8 (Transition system specifications). Let £ be a signature. A positive ^-literal is an 
expression t f and a negative S-literal an expression t with t,f e T(£) and a e AT. For 
t,f € T(£) the literals t f and t are said to deny each other. A transition formula over 
£ is an expression of the form ^ with R a set of £-literalB (the ontecedients of the the rule) and 
a a £-Iiteral (the condusion). A formula f with R = 0 is also written a. A literal or transition 
formula is dosed if it contains no variaUes. An action rule is a transition formula with a positive 
conclusion. A transition system specification (TSS) is a pair (£, R) with £ a signature and R a set 
of action rules over £. A TSS is positive if all literals in the antecedents of its rules are positive. 

The concept of a TSS was introduced in Groote & Vaandrager [ 4 ]; the negative premisses 
were added in Groote [ 3 ]. The notion constitutes the first formalization of Plotkin’s Struc¬ 
tural Operational Semantics (SOS) ( 5 ] that is suffidently general to cover most, if not all, of its 
applications. 




Dc&nitioo 0 (Proof). Let P = (£,P) be a TSS. A proof of a transition formula ^ from P is a 
wdl-foonded, upwardly branching tree cd which the nodes are labelled by £-literals, such that: 

• the root is labelled by a, and 

• if is the label of a node q and K is the set of labds of the nodes directly above q, then 

- either K - 9 and € H, 

- or ^ is a substitution instance of a rule from £, 

If a proof of ^ from P exists, then ^ is provable from P, notation PH*. 

Definition 10 (Transition relation). Let £ be a signature. A transition relation over £ is a 
relation — ►C r(£) xAf x T(£). Elements {t,a,t) of a transition relation are written as t t. 
Thus a transition relation over £ can be regarded as a set of closed positive £-literals (transitions). 

A positive TSS specifies a transition rdation in a straightforward way as the set of all derivable 
transitions. But as pdnted out in Groote [3], it is much less trivial to associate a transition 
relation to a TSS with negative premisses. Several solutions are proposed in [3] and [1]. The most 
general of those is through the notion of stability. It is not difficult to show that the concept of 
stability defined below is the same as that of Bol and Groote. 

Definition 11 (Stable transition relation). Let P = (£, P) be a TSS and let —» be a transition 
relation over £. —»is stable for P if: 

there is a closed transition formula * without positive antecedents 
“ ^ with P H f and (f -i- t') €— for no (t -^) € P and t' € r(£). 

According to Bol Sc Groote [1] the transition rdation associated to a TSS is its unique stable 
transition rdation if it exists. They argue that there is no satisfying way to accodate a tranition 
relation to a TSS that has no or multiple stable tranmtion relations. 

3 Formats and congruence theorems 

Definition 12 (ntyft/ntyxt-format). An action rule over a signature £ is in ntyft-format if t 
has the form /(zi,...,Zn) for certain (/,n) € E and Zi,...,z„ € V, and all its positive antecedents 
have the form t y with y € V — V(t). It is in ntxft~format if t has the form z € V and all its 
podtive antecedents have the form t y with x y €V. A TSS is in ntyft/ntyxt-format if all 
its rules are in ntyft at ntyzt-fonnat. 

Definition 13 The hound variables of an action rule over a signature £ are inductivdy 

defined as the ones that occur in t or in the target s' of a positive antecedent (s s') € P 
where s contains bound variables only. The rule is pure if all variables that occur in it are bound, 
and a TSS is pure if it consists of pure mles only. A rule has no lookahead if all bound variables 
in the source of its antecedents also occur in the source of its conclusion. Connectedness is the 
smallest equivalence rdaticm between the bound variables that appear in a rule such that z and y 
are connected if there is an antecedent z y. 

Definition 14 A TSS is in bisimulation format if it is podtive after reduction—as defined in [1]— 
and in ntyft/ntyxbfotmuX. A TSS is in nested simulation format or tyft/tyxt-format if it is podtive 
and in ntyft/ntyxt-foniMt. A TSS is in ready simulation format if it is in bisimulation format and 
its mles have no lookahead. A TSS is in ready trace format if it is in ready simulation format and 
no two occurrences of variables in the target of a rule are connected in that rule. A TSS is in failure 
format if it is podtive and in ready trace format. 
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TlMorMn S (CongrueneeJ. Buimal&tioii equivalence is a congruence for any TSS in luatmulation 
format. Similarly, n-nested limulation equivalence (for any n £ fl) is a congruence for any TSS 
in nested simulation format, 'Ready simulation equivalence is a congruence for any TSS in ready 
simulatimi simulation format, ready trace equivalence is a congruence for any TSS in ready trace 
format and failure equivalence as well as trace equivalence are congruences for any TSS in failure 
format. 

4 Full abstraction 

D^nition 15 An equivalence is said to be fully abstract with respect to a set of c^erators L and 
another equivalence if it is the coarsest congruence unth respect to the operators in L that 
is finer that An equivalence on labelled transition systems is fully abstract with respect to a 
TSS-format and an equivalence if it is the coarsest congruence with respect to all operators 
specifiable by a TSS in that format that is finer that 

Theorem 4 Bisimulation equivalence is fully abstract w.r.t. the bisimulation format and trace 
equivalence. 2-ne8ted simulation equivalence is fully abstract for the n-nested simulation format 
and completed trace equivalence. Simulation equivalence (=l-nested simnlaticm equivalence) is folly 
abstract for the n-nested simulation format and trace equivalence. Ready simulation equivalence is 
fully abstract for the ready simulation simulation format and trace equivalence, as well as for the 
positive ready simulation format and completed trace equivalence. Ready trace equivalence is fully 
abstract for the ready trace format and trace equivalence. And failure equivalence is folly abstract 
for the failure format and completed trace equivalence. 

5 Expressiveness 

Robert de Simone has shown that any operator that can be specified in the failure format can 
be expressed in Meiie (or any equivalent process algebraic language). I show that similarly any 
operator that can be specified in the positive ready simulation format can be expressed in a similar 
language to which an operator ! has been added. A nmilar result (with yet another operator) will 
be conjectured for the n-nested dmulation format. 
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Introduction 

Synchronoas programming [IEE91, Hal93b] is a naefnl i^proacb to design reactive systems. A 
syncluonoas program is supposed to instantly and deterministically react to events coming from 
its environment. The advantages of this approach have been pointed ont elsewhere. Synchionons 
languages are simple and clean, they have been given simple and precise formal semantics, 
they allow espedaUy degant programming style. They conciliate concurrency (at least at the 
description level) with determinism. They can be compiled into a very efficient sequential code, 
by means of a spediic compiling technique: The control structure of the object code is a finite 
automaton which is synthesized by an exhaustive simulaticQ of a finite abstraction of the program. 

Concerning program verification, it has been argued [BS91, HLR92a, Pnu92] that the practical 
goal, for reactive programs, is generally to verify some simple logical safety properties: By a safety 
property, we mean, as usual, a property which expresses that something will never happen, and 
by a simple logical property, we mean a property which depends on logical dependences between 
events, rather than on complex relations between numerical values. 

For the verification of such properties also, the synchnmons sq>proach has some advantages: 
Since the parallel composition is synchronous, the desired properties of a program can be easily 
and modularly expressed by means cS an observer, i.e., another program which observes the 
behavior of the first one and decides whether it is correct. Thus, the same language is used to 
write the program and its desired properties. The verification then consists in checking that 
the paralld composition of the program and its observer never causes the observer to complidn. 
This verification can often be performed by traversing the finite control automaton built by 
the compiler. This automaton is generally much smaller than in the as 3 mchronou 8 case, where 
non-deterministic interleaving of processes is likdy to resnlt in state explosion. 

An observer can also be used to express known properties of the program environment. As a 
reactive system is embedded into an environment with which it tightly interacts, the environment 

'Verioiag is a joist labocatocy of CNRS, laatitst Nstioaal Poiytocluuqae de Giesoble, UsiveisviP J. Fourier 
•ad Verilof SA »e>orist«d with lUAG. 

^Thio work was perfbcisad while the first sathM was oa leave ia Staafiacd Uaiversity, partially sappocted by 
the DepartaMSt Navy, OiBoe of the Chief of Naval Research aader Graat NOOOISf-SI-J-ISOI, aad by agraat 

fiNNS the Staafoed Oifios of Ibckaology Lioeasiag. This pablicatioa does aot aeowsarily refiect the poeitioa or the 
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most be strongly taken into account in program design and verification. Generally, the critical 
properties of a reactive system are only required to h(fid provided the environment also behaves 
correctly, that is, under some assumptions about the environment. In [HLB.92b], we verified 
a very simple railways control system, and the most important part w<i:i the description of the 
realistic behavior of the trains (they obey the signals, they do not jump from one track to another, 
etc.). In [HLR92a], we used this ability of taking the environment into account in the verification, 
to propose a modular verification technique: When two processes run in parallel, each of them 
is part of the other’s environment; so any property which is proved about one of them, can be 
used as an assumption about the other’s environment. 

So, our verification approach can be summamed by three simple ideas: ( 1 ) restriction to 
safety properties; ( 2 ) expression of these properties by means of a synchronous, deterministic 
observer; (3) taking into account assumptions about the environment. This paper is a survey of 
our specification and verification techniques, in a very general, language independent, framework. 
Section 1 introduces a simple model of synchronous input/output machines, which will be used 
throughout the paper. In section 2, we show how such a machine can be designed to check 
the satisfaction of a safety property, and we discuss the use of such an observer in program 
verification. In section 3, we use an observer to restrict the behavior of a machine. This is the 
basic way for representing assumptions about the environment. Applications to modular and 
inductive verification are considered. In modular verification, one has to find, by intuition, a 
property of a subprogram that be strong enough to allow the verification of the whole program 
without fully considering the subprogram. In section 4, we consider the automatic synthesis of 
such a property, and in section 5, we investigate the possibility of deducing the subprogram from 
such a synthesized spedfication. 

1 Synchronous I/O machines 

We first define an abstract model of synchronous reactive machines. As far as verification is 
concerned, we could use a synchronous process algebra [MilSl, Mil83, AB84] as a basic formalism. 
However, in the synthesis problem, we have to distinguish between inputs and outputs, since a 
process contrds its outputs but not its inputs. So, we prefer to use a notion of synchronous 
mafhine where inputs and outputs do no play a symmetric role. In the following model, as in 
synchronous languages, outputs are non blocking and synchronously broadcast. Moreover, we 
will need an expUcit notion of state, which lacks in process algebras. 

1.1 Definitions 

Let us consider a set 5 of signaU, and let £5 = 2 ^ be the set of events^ on S. An I/O machine 
M is a 5-tuple ^itf) well 

e Qm is a set of states containing fOjtr, the initial state; 

e /jif C 5, Om C 5 are the disjdnt sets of input and output signals, respectively. 

• iM Q Qm X £/m X Eott X Qm i> the transition ration. When there is no ambiguity 
about the considered relation, we will often note “q instead of “(q,i,o,q') € Sm”- 

‘Eveato, with tke aaiMi opentioa, will pUy the rak of tke monoid of acHont in lyuchioaoM piooeM algebtaa. 
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Intuitivdy, in response to n sequence (u, t],..., in,...) of input events, such a machine returns a 
sequence ( 01 , 03 ,..., Ont •••) ^output events, such that there exists a sequence (qoi 9i< • • •«fat • • ■) 
of states, with qo = qOjtf and for all n > 1, qn_i ^9n- The sequence ((tiUoi),(t 3 Uo 3 ),...,(tnU 

On),...) will then be called a trace of the machine. 

If r = ((iiU 0 i),(t 3 U 02 ),...,(inU 0 n)) is a finite trace, and (9o<9 ii-is a corresponding 
sequence of states, we will note qOM-^4k- For any state q, we will note traeea(q) the set 
{r I qOjtf-^q} of traces leading to q. This notation is extended to sets of states: For any 
X t Qm, tra^X) = U^jr traeet(q). 

Let us note the reaction function from Qm x Ei^ into defined by 

Sit = A(q,i).{(o,qO I € Su} 

A reactive machine cannot refuse a non-empty input event, and thus satisfies the following 
property: Vq € Qw.Vi CIm, i^$ => 6lg(q,i) / I. 

A deterministic machine has at most one possible reaction to a given input event, and thus 
satisfies: Vq € QwiVi C Im, |djif(qi*)l ^ !• For a deterministic machine, we will note 6fi 
(respectively Sfi) the function giving, for a state q and an input event i, the output event o 
(reap, the next state q') such that (q,i,o,qO belongs to 6m. 

We will use the usual precondition and postcondition functions, from 2^*^ to 2^w: for any 

xgQu, 

* postnf(X) is the set of successors of states belon^ng to X: 

PO*tM(X) = {ff' I 3q € Ar,3i,o, q j-q'} 

* is the set of states having a successor state in X: 

Pf*M(X) = {9 I aq' € Jr,3i,o, q ^q'} 

* P^m(X) is the set of states having all thmr successors in X: 

P^m(X) = {q I Vi,Vo,Vq' such that q i-»q', q' € JT} 

= QM\preM(QM\X) 

1.2 Operations on I/O machines 

Projection: Let Af be an I/O machine, and O' C Om- The projected machine M 10' is 
{Qm, 40 m,Im,O', 6 '), where 6' = {(q,*,onO',q') I (q,»,o,qO € 

Obviously, if Af is reactive (respectivdy, deterministic), so is Af iO'. 

SyMhronoos product: Let Afi and Afa be two I/O machines, with Omi H Om, = 0 We 
define their spnchronous product AfiljAfa to be the I/O mac h i n e Af where 

*The fwtfictiM that puaUd SMchiawdmH sksM cnmsme oetpet ■gaals is te simplicity cmly. It doss sot 
exist is Estcid (BGt2] sad Aigas [llaiS3]. 
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(a) Non determinitm 


9i 92 

,1 

91 < 9i 9? 


(b) Absence of reaction 


Figure 1: Synchronous product 


• Qm = Qmi X Qmj , 90a/ = (90a/,.90a/j) 

• Im = Umi \ O^i) U (/mj \ Oiwr,) 1 Om = Om, U Om» 

• ((9i.92).».o.(9xi 94))€ dji# <=> (9i.(*Uo)n/ji#„«nOj#n9i)€dji#, 

and ( 93 ,(tUo)n/M,,onOii^,«^)€ djwi 

In other words, a transition of the product inv<dves a transition of each machine, triggered by 
the global input signals and the tignaU emitted by the tdher machine. 

1.S Causality 

With this very loose definition of the synchronous product, it can happen that the product of 
two deterministic (respectively reactive) machines is not deterministic (resp. reactive). This is 
the wdl-known problem of causality paradoxes in s]mchranou 8 languages [BG92, Mai92]. For 
instance, let Imi = {z,y},/ii#, = {*,*},Om, = {*} and Omj = {»}• Then: 

• Assume that 91 and 91 ooly transitions in fui from state 91 , and 

th>t 92 and 92 transitions in dMj from state 92 (see Flg.l.a). 

If the input event {x} occurs when the product machine Jlfi||Af 2 is in the state ( 91 , 92 ), 
two diffoent transitions can take place: 

- either Mi perfonns 91 ^~* 9 i then the emission of z forces the transition 

92 in M 2 . So the compound transition is ( 91 , 92 ) |7|-"(9i,92)'* 

- or, convendly, M 2 performs 92 forcing the transition 91 i**! > 9 ^ in Mi, and 

the resulting ^obal transition is ( 91 , 92 ) ^^(9i«92)- 


• • 




- 04 - 







So, in tliat caae, the product of two deterministic mnchines is non deterministic. 

e Assume now that fi ud 91 are the only transitions in bom state 91 , 

and that is as beforo (Fig. l.b). Now, if the input event {z} occurs in the state («i, 93 ), 
no global transition can occur, since: 

- if Afa performs 93 ^^4?' emission of y forces the transition 91 '9t in 

Ml. But now, since z is emitted. Mi should not have made its transition. 

- Conversely if Mi performs 91 ^|^9f, since z is not emitted, Mi must perform 
93 ^^9? the emission of y fmbids the transition of Mi. 

So, in that case, the product of two reactive machines is not reactive. 

An important feature of synchronous languages is that thmr parallel composition operator (syn¬ 
chronous product) introduces neither non-determinism nor deadlock. Compile-time consistency 
checks insure that the compound machine has a tint 9 tie, minirnal, reaction to each input event: 
Let Ml and Mi be two deterministic and reactive I/O machines, let 6 ^^, 6 ^^, be their respective 
output functions. When Afi||Jt #3 is in the state ( 91 , 93 ) and receives an input event i, the output 
event o must satisfy 

« = ^Sr, («ii (*0 0)0 /a#, ) u <&,(«»» (»u o) n /a^,) 

i.e., be a fixpoint of the function Az. <^,( 91,(1 U z) n /as,) U <^( 93 <(* U z) n /jmi)< Causality 
problems come Bom the fiKt that this function is not always monotone, and thus, may admit zero 
or several minimal flxpoints. Compile-time consistency checks insure the existence and unidty 
of a least fixpoint, and the synchronous product is defined by 

^®((9i.9*)» *) = f**' ^&,(91i (»U z) n Imi) U d^(92.(* U z) n Iiti) 

^®((«i> 9 a)i») = (91.(* U ^®((«i. 9 a)t 0 )n /a#i), <^(92, («U «°(( 9 i,92)* 0 ) ^ Im »)) 

(where, as usual, lix.f denotes the least fixpoint of the function Az./). 

2 Observers of safety properties 

In this section, we show how a safety property can be specified by means of a synchronous 
observer. Such an observer is an I/O machine, taking as inputs both the input and the output 
signals (rf the n»«rbiw# under observation, and emitting an ’^alaim” signal as soon as the observed 
signals do not ssditfy the property. 

2.1 Safety properties 

A trace r on a set of n gnalz 5 is a finite or infinite sequence of events on 5. A property on S 
is a set of traces on 5. An I/O machine Af satisfies a property P if and only if each trace of M 
bdongs to P. A property P on 5 is a safety property if and only if: 

r € P <=*• / 6 P far any finite prefix dr 

In other words, a safety property is a prefix-dosed (as oqiressed by the “= 0 ^” implication above) 
and limit-closed (as expressed by the implication) language on the vocabulary 2 ^. 
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2.2 Observer 


Let P be s saiety property on 5. Let a (read “alann”) be a signal not in 5. An obaerver of P is 
a deterministic and reoetioe I/O machine Op = (Qap,90Q^,5,{a}, < 0^)1 returning a sequence 
of empty output events as long as it receives a sequence of input events which belongs to P. 
More precisely, let r be a finite trace on 5 bdonging to P (notice that the empty trace belongs 
to any safety property). Let qr be the state that Op reaches after reading r (if r is the empty 
trace, qr is the initial state of 11 p). Then, for any event e € 2^, 




f • ifr.e € P 
1 {a} otherwise 


Let us assume also that any transition emitting a leads to a distinguished state qa- 

Now, a nuchine M satisfies a safety property P if and only if the cranpound machine Af ||0p 
never returns any event amtaining a; or, equivalently, never reaches an emmeotu state belonging 
fo Qm X {9a}- We will note the set Qa x (0aA{9a}) of non erroneons states of A/||np. 

A practical advantage of this ^proach, is that the properties are written in the same language 
as the programs, and in fact, properties are programs. As such, they can be executed and tested. 
An observer can be actually run with the program, thus detecting any vicdation of the property 
(rnn>time checks). 

Notice that this approach cannot be used with only an asynchronous composition, or at 
least, that it cannot be applied modutarly. For instance, consider the fdlowing property: ‘^the 
signal b is emitted at least once between every two successive emissions of the signal a If 
this property is checked by an asynchronous observer, since the observer is not guaranteed to 
catch all the signals, it can miss any occurrence of b. So, even if the property is satisfied, 
the observer can emit an alam. To check such a property of an assmchronous program, one 
must add some synchronisation code ail along the transitions of the observed program, since 
otherwise, the asynchrcmous product does not ensure that all the transitions will be observed. 
When verifying a program, such modifications are of course harmful, since one cannot be sure 
that the verified program behaves the same once the additional code is removed. This contradicts 
G. Berry’s “wypivtve” principle (“what you prove is what you execute”) which fully applies in 
the synchronous case. 


2.3 Application to program verification 

The verification that a machine M satisfies a safety property P now amounts to proving that 
the machine Af' = Afllflp never returns any event containing a. So, any safety property has 
been translated into an moariant. More precisely, one has to prove that the set Reach(M') of M' 
readable states is included in the set Qj^ of non erroneous states of Af'. Reach(M*) is classically 
defined as a least fixpoint: 

Reach(M') = U posta>(X) 

Let us list the advantages of this expression of the verificati<m problem, according to various 
verification methods: 

State enumeration: For finite state systems, sUte enumeration techniques (enunmrative 
model-checking) have been widdy experimented [QS82, CES86]. In general, these tech¬ 
niques involve the construction of the whde state gr^h of the program, and its memo¬ 
risation for the analysis of trace properties. Now, since the proUem has been reduced to 









the uialysis of a Mate prxtperty (an invariant), tlie state graph needs only to be traversed. 
Particularly efficient techniques are available (e.g., [Hol87]) for such a traversal. 

Redaction tochniquea: The drawback of state enumeration techniques is the explosion of the 
number of states, as the rise of the program increases^. Other approaches [BRdSV90] 
consist in building a reduced state graph, according to some observation criteria. Now, 
in our ^pioach, the machine of interest is not really AfUOp, but rather (Af||n/>) 1 a, 
since we are only interested in the presence of the signal a. This is an obvious observation 
criterion. So, in contrast with classic model-checking, the property is taken into account in 
the state graph generation. Assume the property is satisfied, then the minimal state graph 
of (JIf llOp) 1 a has only one state (it is the “dlways silent” automaton). Algorithms for 
generating a minimal state graph have been proposed (BFH'''92, LY92]. When applied to 
our simple verificatioo. problem, these algorithms amount to proving that the initial state 
belongs to the greatest invariant /nvar(Q^) included in QP, i.e., the greatest part of QP 
from which the transition relation does not permit to go out. This greatest invariant is 
wellknown to be a greatest fixpoint: 

Invar(QP) = vX.QP D prej„||Q,(Jf) 

Approximate analysis: When infinite state systems are considered, approximate methods 
(and, in particular, abstract interpretation techniques [CC77, CC92]) can be applied to 
compute approximations of the set i{eacA((Jldr||np)la). If an upper approximation of this 
set is included in QP, this proves that the erroneous states cannot be reached (see [Hal93i^ 
for an application of such a method). If a lower approximation intersects the complement 
of QP, an error is detected. 

In the remainder of the piq>er, we wUl essentially consider finite state machines, so all the 
considered fixpoints will be (theoretically) computable. In the following section, we will see 
that property observers can also be used to take into account known properties of the program 
environment. 

3 Tetking the environment into account 

The main feature of reactive systems is that they tightly interact with their environment. As 
a consequence, the properties of the .environment must be carefully tad:en into account in the 
design and verification of such a system. A reactive system is not intended to work in an arbitrary 
environment. In general, tystem specifications contain a lot of informations about the behavior 
of the environment, which are the hypotheses under which the design must take place. These 
known properties about the environment can invcdve not only the inputs of the system, but also 
its outputs, since the environment responds to the syston. So, in general, among the set of 
traces of an I/O machine, only some of them are ‘‘realistic”, i.e., satisfy the assumptions about 
the enviianment. In this section, we show how the behaviOT of an I/O machine can be restricted 
by a safety pnq>erty, in order to take such assumptions into account in the verification process. 

'Notice that the state exploaioa is mote impMtant ia aa asyachroaous system, becaese of the aoa detenaiaistic 
iaterieaviag at asyachioooas traasitioas. 
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3.1 Ekhavior restriction 

Given a safety property A (assumption) of the environment of A/, our goal is to define a restricted 
machine A#' having exactly the same behaviors as M composed with any environment satisfying 
A: the set of traces of Af' mast be the intersection with A of the set of traces of M. 

Restriction: Let Ad be an I/O machine, and be an observer of a safety property A on the 
set S = U Om of input/output signals of Af. Let M' = Ad Hn^. We define the restriction 
Ad/n^ to be the I/O machine where 6> = {(g.t.o.g") € ( a ff o} 

Obviously, the restricted machine M/Qa is generally not reactive, even if Ad is reactive: The 
ratriction takes into account a property of the environment, and thus, refuses some unrealistic 
inputs. However, it can happen that in some states of the restricted machine, all the input events 
*** refused. So, the restricted machine deadlocks, a highly undesirable situation in reactive 
systems. One can consider this as an error in the expression of the assumption A. However, we 
adopt another point of view: When restricting a machine Ad with an assumption A, the user 
intends to consider aU the infinite traces of Ad that satisfy A. So, the machine must not enter 
any path in M/HIa which tneuttably lesAs to a deadlock state. We define now another restriction, 
called non-hlocking restriction, which has the intended behavior: 

Non-blocking restriction: Let Ad be an I/O machine, md be an observer of a sadety 
property A on the set 5 /jir U Om of input/output ugnals of Ad. Let Ad' = AdPvi- Let us call 
sink A the set of states of Ad' leading inevitably to the violation of A: 

siniA = ftX.pnffMQM X {qa})VX) 

Then, if qO^' i nrdtA, we define MIJIa to be the I/O machine {Qm, \ sink a, ?0m>, Im, Om, A"), 
where 

^ n ((Qm> \ sinfc^) X Ejff X Eot, X (Qm’ \ •inkA)) 

= € Aj»#. 1 9,9' sinkA and a ^ o} 

One can notice that, if Ad is deterministic, MIJIa = So, the property A 

has been strengthened into the other property A' = traces{QM' \ nnkA) which cannot block the 
machine Ad: Any finite trace satisfying A' leads to state of Ad which has at least one outgoing 
transition preserving A'. 

3.2 Application 

As before, a direct use of this way of expressing assumptions by an observer, is to execute the 
observer with the program, thus checking at run-time that the assumptims are satisfied. The 
restriction can also be used for program testing, to use only testcases corresponding to realistic 
scenazioB. We consider now the use of restriction in the verification process: 

Verification under assnmptions: Given an I/O machine Ad, a safety assumption A about its 
environment, and a safety property P, one can prove that Ad satisfies P provided the environment 
satisfies A, by 

1. proving that (MI^(Ia) has some behaviors, i.e., that the initial state of Ad||R ,4 does not 
bdottg to smk^. Otherwise, the assumption and the program are contradictory. 
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2. verifying that the machine ((A/4>^i4)||n/>)i {a} emits only empty events (Of course, here, 
a is the alarm signal of Oi*). 

Modular verification: Any sub-process of a compound system sees the remainder of the 
system as a part of its own environment. The ability to tsike the environment into account 
allows modular verification: Having proved a property about a sub-process, one can use this 
property in the verification of the remainder of the system. More precisely, let Mi, Mi be two 
machines, and let P be a safety property we want to prove about AfiHAf]. Assume another safety 
propoty P' has been proven about Mi alone. Then ifMilfipt satisfies P, so does Mi\\Mi. This 
amounts to considering Mi as the environment of Mi. Of course, assumptions about the global 
environment can also be taken into account. With a little additional hypothesis (see [AL89] and 
the '^decomposition theorem” of (KL93}), which amounts to the absence of causality problems, 
one can even use a seemin^y circular reasoning, which conrists first in proving a property P] of 
Mi under the assumption that Mi satisfies Pi, and then in proving that Mi satisfies Pi assuming 
Mi satisfies Pj. 

Inductive proofii: Moreover, the modular verification technique can be extended to the in¬ 
ductive verification of regular networks of processes [WL89, HLR92a]. Assume one wants to 
prove a safety property P of the machine Af||Af||...||Af for any n > 1. This can be done by 



finding a property P* such that 

1. M satisfies P' 

2. (MU^pt) satisfies P' 

3. P' implies P 

(1) proves that P* hrids for n = 1, (2) proves that, if P' hrids for n, then it holds for n + 1. So, 
P' holds for any n, and from (3), so does P. Point (3) can be established by proving that the 
machine x(f, 0)Ulp> satisfies P, where 

x(/,0) = i{qh9J,0,{q} xEixEoy^ {«}) 

is the “chaos” machine which completely non deterministically returns any event of Eq whatever 
be its input event from Ei. Of course, as for modular verification, a crucial problem is the choice 
of the property P'. It is conridered in the next section. 

4 Specification synthesis 

Let us come back to modular verification: Given two machines Mi and ilfj, and a safety property 
P on 5 = /m, U Omi U iMt U OMa, one must find a property P' on 5a = I/Ha U Oua »ncfi that 

1. Mi satisfies P', and 

2. MiJJUpt satisfies P 

Moreover, the proof of each of the abov« points is expected to be earner than the global proof 
that JIfillJtfa satisfies P. 
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This section deals with the synthesis of such a property P', satisfying the point (2) above bj 
construction, when all the involved machines are finite state. 

First, we need some additional definitions: Let r = (ei,e],...) be a trace on 5. We 
define the projection of r on a set S' of signals to be the trace r ]. S' = (ei n S', ej n S',..., Cn n 
S',...). The projection on S' of a set T of traces is T i S' = {r 1 S' | re T}. If T is a set 
of finite traces on S, we note C(T) the set of traces on S which do not have any prefix in T. 
Obviously, C(T) is a safety property. 

The intuitive method to find P' is the following: Replace by the “chaos" machine 
If satisfies P, the machine A/j does not infinence the satisfaction 

of P (i.e. we can take P' = (rue) and we are done. Otherwise, Mi\\x{Iji4^,0ut) cnn reach some 
erroneous states, and the role of Afj is to forbid the traces leading to those states. But, for doing 
so, Af] can only restrict its own signals (P' cannot involve signals that cannot see). 

More precisely: Compute Rea(Mi\\ilp). If it does not intersect x {9a}« let P' = (rue. 
Otherwise kt T„ = (races(QAr, x {^a}) be the set of erroneous traces. The following proposition 
states that C(T«n'i 5]) is a necessary and sufficient property that Af} must satisfy so that AfiHAf} 
satisfies P: 

Proposition: Ut P' = C(T„i5j). Then Afj |= P' <=> AfiHAf} h P. 

Proof: Let r[nj denote the nth prefix of a trace r. 

(=>): If Afj ^ P', then every trace r of Afl||Af2 satisfies r j Sj 6 C{Tm 1 5%). So, Vn,(r ) 
^ I«ri5a, and since (T|,5j)[n] s (T(n]152), Vn,r(n] 0 T„. This means that r Q P. 
(e=); Assume Afj does not satisfy P', and let r be a trace of Afj not belonging to P'. Then, 
there exists n such that r[n] € {T„ i S3), and there exists a trace r' € Tftt such that r[n] = 
(r'fn]) i (S3). So, the finite trace r'[n] is compatible with both Mi and M3 and leads to the 
vi<dation of P. □ 

Remark: P' = C(T„ i S3) is stronger than P" = C(T„) i S3. A trace r of M3 can be the 
common projection of two traces r' and r" of AfiHAf}, with r' £ C(Tm) and r" ^ C(T„). In 
that case, r belongs to P" (as the projection of r') and not to P'. 

Stronger specifications: However, the necessary and sufficient property P' = C(T„ i S3) is 
sometimes too complicated to be interesting; As a matter of fact, an observer of P' can be as 
complicated as Afi||flp. In that case the proof that M3 satisfies P' is not easier than the proof 
that AfillAf} satisfies P, so nothing is gained with modular proof. Now, any stronger property 
than P' can be tried. Such a stronger property P" will still ensure that Mif^Slp" satisfies P, 
but, since it is no longer a necessary property, one cannot conclude that AfiHAf} does not satisfy 
P if M3 does not satisfy P" . 

The basic technique to build such a stronger property P" is the fdlowing: Let ns note avoid 
the fnncti<m AT.C(Ti 5}). Thus, P' = avoid(T„). Then, for any set T of traces containing Tor 
(i.e., for any upper approximation of T„), avoid(T) is stronger than P'. 

5 Module s 3 nithesis 

In the preceding section, we have outlined a method to find a property P' such that, for any 
machine M 3 satisfying P', AfiljAf} satisfies P. P' has been only deduced from Mi and P, so, 
it could be built even b^ore M3 is designed. So, the next question is: can M3 be synthesized 









firom P', considered as a specification? In tlie finite state case, this is theoretically possible: 
The specification must be strengthened to become executable. P has been constructed so as to 
concern only the input/output signals of Afj. Now, an additional constraint is that must 
preserve P by controlling only its output signals. In each reachable state, and whatever be the 
received input event (possibly satisfying an input assumption), M 2 must be able to perform a 
transition preserving P'. 

Ebcecntability: A property P on a set of signals 5 = /UO is executable with respect to (/, O), 
if and only if for any finite trace r £ P, for any input event t € £/, there exists an output event 
o £ Eo such that r.(t U o) € P. For any safety prop^y P, there exists a weakest executable 
safety property, implying P. It will be noted £{P). 

Relative precondition: Let P be a safety property on / U O and Sip be an observer of P. 
For any X C Qa^, we define 

pr^hpiX) = {« I Vi C /, 3o C 0, S^^iq, iUo)£X} 

In other words, pref^^(X) is the set of states which can lead into X (in one step) whatever be 
the input event received in these states. 

Executable strengthening: Let Exe = >^Xpr«^^(A’)\ {(fa}* Then Exe does not contain the 
erroneous state and 

V^ € Exe, Vi C /, 3o C O, such that bn^(q,i Uo)€ Exe 

Moreover, Exe is the largest set of states satisfying this property. As a consequence, a restriction 
of Sip which detects any trace going out of Exe is an observer of €{P). Another consequence is 
that x{0,I)/Sle^p) is the most general reactive machine satisfying P. Notice that Exe can be 
empty, which means that P is not realizable in the sense of [ALW89]: There is no machine on 
(/, O) preserving P against any environment. 


Conclusion 

Many ideas that have been presented are specializations and simplifications of previous works. 
For instance: 

• The specification of properties by means of a synchronous observer is very close to the 
approach of COSPAN [Kur89], which takes also into account liveness, both in the program 
and the properties. 

• Several verification approaches take into account the environment, e.g., [Jos87] [AL89] 
[Jo892], and some of them propose modular methods. The “don’t care sets” considered in 
hardware design and verification [BBH'*‘88, DD9^ are also a way of expressing assumptions 
about the environment. 

• The synthesis problems considered in Sections 4 and 5 have been dealt with in several papers 

— both in Control theory [RW87, RW89, HWT92J, and in computer science [PR89, ALW89] 

— and often extended to cape with liveness properties. 
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Our simplifications consist in considering safety properties of synchnmous systems. They aie 
suggested by the application field we have in mind: The synchronous model has been shown to 
be very convenient for the design of reactive systems. In general, most liveness properties are 
introduced for one oi the fifilowing reasons: 

• To abstract a real-time constraint: For instance, one replace a deadline property by the 
requirement that something “eventually occurs”. Now, in reactive systems, such real-time 
constraints may not be abstracted, in general: the constraint “an alarm must be sent within 
2 milliseconds after the detection of a dangerous situation” may not be replaced by “the 
alarm must eventually occur”\ 

• To restrict the asynchronous semantics: In asynchronous models, concurrency is modelled 
by non-deterministic interleaving, and this non-determinism must be restricted by fair¬ 
ness constraints. Obviously, this problem does not exist in the synchronous model. In 
asynchronous systems, compositionality is also achieved by allowing arbitrary (but fair) 
“stuttering” of processes. The synchronous model is obviously compositional thanks to 
zero-time, simultaneous, reactions. 

Now, these simplifications are certainly fruitful, from a practical point of view. They increase 
the performances of the automatic tools: For instance, for finite state methods, the synchronous 
model drastically reduces the size of the considered state graphs; safety properties can be checked 
by a graph traversal, without storing any path. To specify a safety property by means of an 
observer, one doesn’t need to use — and to learn - any other language than the programming 
language used to write the program. All these ideas are under implementation in the Lustre- 
Saga software development system [HCRP91], and actual industrial experimentations are going 
on. 
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Contraints in Term Algebras 
(Short Survey) 


Hubert Conum* 
May 16, 1993 


Unification, which consists in solving equations in the (free) term algebra, is known to be a fun¬ 
damental operation in many areas of computer science and, in particular, in logic programming. Di»- 
unification, which consists in solving more complex formulae in the (free) term algebra, also revealed 
to be a fundamental operation (see [24,11] for surveys on unification and disunification respectively). 
Recently, these computations have been seen as conatmint solving in term algebras and this point of 
view is actually fruitful. Let us first make clear what we mean by “constraint”. 

1 Constraints: a definition 

A constraint system is defined by a logical language C (which is in general a fragment of a first-order 
language), a structure Af in which the formulae of C are interpreted and an algorithm which decides, 
for every ^ € C, whether ^ is satisfiable in A/ or not. There are many examples: C can be a full 
first-order language, in which case, the third condition implies the decidability of the (first-order) 
theory of M. For example, the construnt system could correspond to Presburger arithmetic or the 
theory of real numbers. It could also be the theory of finite trees, since this theory has been shown 
deddable (30, 29,15]. Many other examples will be given laUsr. 

Now constraints can be (and have been) studied for their own mathematical interest. But, they 
can also be used to constrain other formulae. More precisely, gven a logical language £, a class of 
structures M and a satisfaction relation }= on one hand, and a constraint system (C, M, 4) on the 
other hand, given in addition, for each structure 5 in M, an application Hs from the domain DofM 
into the domain Ds of the structure 5, the constrained logic consists in 

• the language of pairs of formulae (called constrained formulae) d\C where ^ £ and C € C 

• a satisfaction relation defined as follows. Given an assignment o of the free variables of C into 
D and an assignment 9 of the free variables of 0 into Ds, 

where Ss{<f) i> the assignment which associates each variable z in the domain of a with Hs(*o). 

This definition is a bit complicated (and is not satisfactory in many respects), but everything 
coDatpses when we consider constraints in term structures (also called symbolic constraints). Indeed, 
that Af is a term structure and that terms of C are also terms of £, Hs can be (and will 
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be) choaea u tbe interpretation defined by 5. This means that we do no longer need M to define the 
meaning of a constrained formula: 


4\C represents \a,id ^C) 

a constrained formula is a shorthand for the (infinite) set of its Instances corresponding to assignments 
of its free variables which satisfy the constraint. For example, P(x, y)|z ^ y could represent the set 
of all formulae where and (3 are two distinct terms. This justifies the use of the symbol 

1 which can be read ‘‘such that”: its use here does not differ from its use in set definitions (in the 
comprehensive axiom). 

Let ns conclude these definitions with two remarks: first, this notion of “constraints” is coherent 
with what is used in practice in lo(pc programming or artificial intelligence, but is quite different from 
the “constraints” which are used in the algebraic specification community. Secondly, let us emphasize 
that the constraints are different from what is usually called a “condition”; consider for example the 
system 

/ f(x) = a\a = b 
\a = h 

where n, 6 are two distinct constants. Considering these formulae as constrained ones, in which the 
equality symbol is freely interpreted, the first constrained formula represents the set {f{x)a = no | <7 ^ 
a = h}. But a = h is unsatisfiable in the free algebra since a and b are distinct. Hence, this set is empty 
and the system collapses to the single equation a — b. On the contrary, if | is seen as an implication 
then it is possible to prove a = 6 using the second equation, and hence, using a cut, we prove that 
/(*) = a. 

2 On the use of constraints 

It should be quite clear from the definition that (symbolic) constraints can enhance the expressiveness 
of a logical language, since they allow for a schematization of a possibly infinite sets of formulae. This 
ability has been used in many situations: 

• in constraint lo^pc progranuning (e.g. [23]) 

• in order to construct (counter)model 8 [ 6 ] 

• to forbid particular instances [25] 

• to express control stratepes in the formulae themselves [34] 

• to avoid the combinatorial explosion of semantic unification (e.g. [18]) 

Constraints might also be used in order to clearly separate irrelevant (from the computational 
point of view) parts of a formula. This is the case for equ^ional constraints and the so-called basic 
strategy (see [2,33] for recent devdopments). 

Finally, everybody knows that even if, according to Church’s thesis, every programming language 
has the same expressive power, there are some languages that are better suited than others to the 
implementation of some algorithms. Similarly, depending on the problem, some logical languages are 
better suited than others. Constraints provide with the denred flexibility since they are use combined 
with a lopcal language; it is therefore possible to use any adequate language to express properties of 
a particular domain. 






3 Examples of symbolic constraints 

5.1 Equations 

The most well-known example of aymbolic constraints is unification problems. In such a constraint 
system, the logical language consists of (disjunction of existentially quantified) conjunctions of equa¬ 
tions between terms. The equations are interpreted in the free term algebra T(F) (this is the rlajuiir>l 
interpretation) or in some quotients T(F)/mg by a finitdy generated congruence —g. Using these 
constrwts in logic programs or automated deductions prevents applying substitutions which may be 
an expensive operation in case of duplications. That is why they are used since the very beginning in 
logic programming. In case of interpretations in quotient algebras, equations are also more relevant 
thu unifiers since there might be a very large minimal complete set of unifiers (doubly exponential 
w.r.t. the size of the equations, in the case of associative-commutative function symbtds), whereas the 
satisfiability of an equation system is much simpler (NP-compiete in the case of AC symbols) [27]. We 
cannot survey all equational theories =£ for which unification is decidable. See [24] instead. 

3.2 Equational formulae 

More generally, equational formulae are arbitrary first-order formulae over an alphabet F of function 
symbols and the equality predicate symbol. Assuming that they are interpreted in the free term 
algebra, there are several decision techniques which lead to complete axiomatizations of the algebra of 
finite trees (see [30,28,29,15,31] and others). This axiomatization differs, depending on the finiteness 
of F: when F is finite, the complete axiomatization consists of what is known as “Clark’s axioms of 
equality” plus the domain closure axiom 

Vz, V 3x-jf.x = /(*». 

/€F 

Equational formulae can be generalized in various directions. One of them consists in adding sort 
constraints^ i.e. an (infinite) family of membership predicate symbols € C which are interpreted as 
recognizable subsets of the term algebra T{F). The satisfiability of equational formulae remains 
decidable with this additional construction [8]. These formulae have been used for stdving problems 
in rewriting theory (e.g. “sufficient completeness” and “inductive reducibility” [11, 8]), and as a 
constraint system in automated theorem proving [6]. Other applications are described in [11]. 

The first-order theory of a quotient algebra T{F)/^g quickly becomes undecidable; a single as¬ 
sociative symbol suffice [35], or an associative-commutative symbol [37]. Decidability results include 
the case where £ is a set of flat permutative axioms [30], ground axioms [10] and £ is a set of shalUm 
equations, a class which encompasses the two previous ones [14]. 


3.3 Ordering constraints 

We already mentioned ordering eontraints as a mean for expressing ordered strategies. Here, the 
logical language consists of purdy existential formulae, using a set of function symbols F and the two 
predicate symbols = and >. Several interpretations of the ordering have been considered: 

• Venkataraman in [38] interprets > as a subterm ordering, showing the decidability of the sys¬ 
tem (and undecidability of the first-order theory). However, such an ordering is useless for 
applications in rewriting theory, since it is not compatible with the term algebra structure. 

• The adequate orderings for the applications in automated deduction are the reduction ordennps 
(see [16]) which are total on ground terms. A typical example of such an ordering is the lexico¬ 
graphic path ordering extending a total precedence, whose existential fragment has been shown 




Lo: 


dcd<UUe [9]. This result has bees extended to other total recursive path (quasi-)orderings [26]. 
The decidability of the full first-order theory of these orderings is an open question (problem 24 
in [17]). 

e The theory of partial recursive path orderings appears to be even more difficult; the E 4 fragment 
has been shown nndeddable [37]. The decidability of the existential fragment of any such 
ordering is open. The only hint for this problem is the recent result of [5]: the potitive existential 
fragmoit of the theory of tree embedding is decidable. (lYee embedding is the most simple 
recursive path ordering: it is the intersection of all simplification orderings). 

• Interpreting > as eneompasament (a term t encompasses u if there is an instance of u which 
is a subterm of t), it is possible to express some properties such as inductive redueibility or 
(sometimes) sufficient completeness using first order formulae (see [7]). The first-order theory 
of a finite number of unary predicate symbols of the form > t. has been shown decidable in [7]. 

S.4 Set constraints 

Many other symbolic constraints have been studied. But it is a too long work to list all of them. 
Let ns conclude with set constraints tor which many recent beautiful results have been obtained. 
(And there is stiU some work to do!). A set expression is built from a finite alphabet of function 
symbids, set variables and the intersection, union an complement symbols. Then, set constraints are 
finite coigunctions of formulae e C e" where e, s' are set expressions. These formulae are interpreted 
assigning set variables to subsets of the term algebra T(F). 

Such constraints have been used for the analysis of logic and functional programs (see [21,1,19]). 
The case of definite constraints has been sdved in [21] and the general case has been farther studied 
by quite different means in [1, 3, 20]. There are two extensions which are stiU under investigation: 
adding negative constraints of the form e^e* and adding the projection construction, which consists 
roughly of the inverse of applying a function symbol (see [21]). These extensions have been conjectured 
decidable. 

4 Constraint solving 

To solve a constraint not only means to decide its satisfiability. More precisely, a constraint solving 
algorithm is specified by: 

• the constraint system (C,iif,4) 

• a subset SofC called the set of solved forms 

5 has to fulfill some requirements (see [11]), in particular, every formula of C should be equivalent (in 
M) to a solved form, and every solved form should be trivially satisfiable or trivially unsatisfiable. 
However, there is still some room for choosing the solved forms. For example, in the case of unification 
(in free algebras), one can choose tree solved forms or DAG solved forms as explained in [24]. 

Once solved forms have been specified, we systematically designed constraint solving algorithms 
naing rewriting techniques; we give a set of rewrite rules on formulae, prove their correctness (every 
formula in C is rewritten to an equivalent formula v/j.t. M), termination (any rewriting sequence is 
finite) and completeness (every irreducible formula is a solved form). There are several advantages for 
this method: 

• The rules can be redundant (and this is actually a dearable property). Then the termination 
proof mi ght be complex, but it ‘Tactorizes” the termination proof for all algorithms obtained 
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by d«t«niuiiiiing tbe coatr^. For example (u we will see below) tree solved forms (Robinson’s 
naificntion algcmthm [36,22]) and DAG solved i* rms (corresponding to Martelli ud Montanari’s 
unification algorithm [32]) are obtained by stn^ig. ^ning the control on the same set of rules. 

e There is a feed-back on the theory, since the rew e rules are actually an axiomatization of M 
(see [11]) 

e the constraint stdving algorithms are automatically incnmentai in the following sense: in order 
to solve ^ A tfr, it is possible to use the result of solving ii>. 

• We expect to use rewriting tools for proving termination of the constraint salving rules, as we 
try to show in the fdlowiag example. 

A example 

We consider the classiral unification problems: formulae are conjunctions of equations between terms; 
they are interpreted in the Im term algebra T{F,X). The equality symbol is considered as symmetric 
(i.e. there is no difference between s = f and t = s). 

Given a conjunction of equations the occur-ckeck relation is the relation on the free variables 
of ^ defined as the smallest reflexive-transitive relation which contains z y as soon as there is an 
equation x = t[y] in (See [16] for the notations on terms and equations that are used here). A 
variable is solved in ^ if it has only one occurrence, as a member of an equation of 0. Let U (^) be the 
set of unsolved variables of 

Now consider the scheme of rules for unification given below: 


Decompoee 

f(St,-,Sn) = f(il,-,tn) 


ax ^ f| A ... A Sn — fn 


Coalesce 


-• 

Z = vAd{z*-*v} 

If s ft y and z.y € f^(d) 

Clash 

/(»l,...,a,)s:!y(<l,...,fm) 


X 

lf/#s 

Eliminate 

X ssAP 


z s a A P{x ►-* a] 

U a € VmT(P), s i Farfa) and a « A 

Cheek* 

*1 = *(*a]y, A ... A Z« = f[zi],. 

-• 

X 

If there ia as t anch that p, # A 

IMvial 


-* 

T 


Merge 

X s= sAx 

-• 

X = aAa = f 



If Decompose, Check* do sot apply asd x is nuziaial w.t.t. amosg the vaiiabics occuiing at least twice as a 
membei of as equation 

Note that in these rules, we relax the classical condition on the sizes in the merge rule (see [24]) 
and put instead a condition of maximality on z and assume the system decomposed. Whether these 
conditions can be relaxed without loosing termination was stated as open problem 39 in [17]. We also 
assume here that there are structural rules for A: J. AP —♦X, T A P -♦ P and P A P P. Moreover 
A is assumed to be associative and commutative. 

The rule system is terminating (modulo the assodativity-commutativity of A and the commuta¬ 
tivity of =). For, consider the associative path ordering [4] on formulae, extending the precedence on 
P U A' defined by: 

• every variable^ is larger than any function symbol 

• every function symbol is larger than = which is in turn larger than A 

• variables are compared according to the occur check relation 

*Be careful that vanafalea of the uaificatioa i»oblem ate leea aa coaataata in the rewiitiug proceaa! Only the logical 
vaiiablea cau be iu a t aa ci a ted . 






I 

l. 

I 



This Ust statement has to be precised since the occor-check relation actually depends on the formula 
which is considered. In fact, we consider the (maybe infinite) union of all occur-check relations at any 
step in the computation. This definition depends on the transformation, but it does not depend on 
a particular formula 4>, and we don’t need to effectively compute this relation. It may happen that 
variabke are equivalent w.r.t. this relation, in which case, they are considered as identical from the 
associative path ordering point of view. 

Note that the associative path ordering has the subterm property and it is monotonic (see [4]). 
Hence, for proving the termination, we only have to prove that every left hand side of a rule is (strictly) 
larger than the corresponding right hand side: 

• For the structural rules and for Tirtvial, Check* and Clash the decreasingness is obvious. 

• Decompose is strictly decreasing because => A in the precedence and 

/(Si,..., Sn) = /(ill • • •,in) ^ — fi 
by monotonicity and the subterm property. 

• E l im i n a t e is strictly decreasing because x is strictly larger than the variables of s (it is larger by 
definition, and it cannot be equivalent to any variable of a since x becomes solved after applying 
the rule, hence no rule can produce an equation with x in its right hand side). Moreover, 
variables are larger than function symbols in the precedence, which shows that x >apo s. 

• Merge is strictly decreasing, for the same n^ason as above: since x is assumed to be maximal 
in the decomposed system, it cannot be smaller than any variable of a or t, even after further 
transformations. 

• Coalesce keeps the problem equivalent w.r.t. >apo since x and y are equivalent in the precedence. 
However, it can only be applied a finite number of times. Hence we can reason modulo this rule, 
i.e. modulo the strict equivalence on variables. 

Now, the system is terminating. If we remove the Merge rule, the system is complete w.r.t. 
tree solved forms and we can find as an instance Robinson’s unification algorithm. If we remove the 
Eliminate rule, the system is complete w.r.t. DAG solved forms and we can find an instance of 
Martelli and Montanari’s unification algorithm. 

Similar techniques have been applied for the termination proofs of more powerful constraint systems 
(13, 12]. 
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Abstract 

In this p^r we show how non-stsndsrd semantics for constraint-based logic programs 
(CLP) can be formally specified by means of the same techniques used to define standard 
semantics. In particular alMtract interpretation of constraint logic programs can be viewed as 
an instance of the CLP framework iteslf. The use of standard instances of the CLP framework 
(e.g. CLP(Bool) and CLP(7l)) for non-standard interpretations, weakens the distinction be¬ 
tween concrete and abstract computations in semantics and analysis. We formalise this idea 
by applying the well known approximation techniques (e.g. the standard theory of closure op¬ 
erators) in copjunction with a generalised notion of constraint system, supporting any program 
evaluation. The “generalised semantics” resulting from this process, abstracts away from stan¬ 
dard semantic objects, by focumng on the general properties of any (possibly non-standard) 
semantic definition. In constraint logic programming, this corresponds to a suitable definition 
of the constraint system supporting the semantic definition. Both top-down and a bottom-up 
semantics are considered. 


1 Introduction 

Clonstraint logic programming (CLP) is a generaUzation of the pure logic programming paradigm, 
having similar model-theoretic, declarative and operational semantics [23]. CLP is then a general 
programming paradigm which may be instantiated on various semantic domains. The fundamental 
Ungnistic aspect of constraint logic programming is the ability of computing constraints by means 

*Tke work of R. Giacobassi and G. Levi was sspported by ike Esprit Basic Researcb Action 3012 - Compnlog 
and by “Progetto Finafissato Sistemi Infermatid e Caloolo Par^do” of C.N.R. aader grants no. 9100880.PF69. 
The work of S. Debray was supported in part by the National Sdence Fonndation under grants CCR-8901283 and 
CCR-9133S20. 




of Horn-Uke rul««. Since this aspect can be separated from the details specific to particular 
constraint systems, it seems natural to parameterize the semantics of CLP languages with respect 
to the underlying constraint system. We refer to such a semantics as generalized semantics [19]. 

It turns out that the generalized semantics provides a powerful tool for dealing with a variety of 
applications relating to the semantics of CLP programs. For example, by considering a domain of 
“abstract constraints” instead of the “concrete constraints” that are actually manipulated during 
program execution, we obtain for free a formal treatment of abstract interpretation. 

In this paper we show how abstract and concrete interpretations for logic-based languages can 
be joined into the unifying framework of constraint l<^c programming. We apply the generalized 
semantics introduced in [19], intended to generalize the notion of constraint logic programs as 
firstly introduced in [23]. The algebraic approach we take to constraint interpretation makes it 
easy to identify a suitable set of operators which can be instantiated in different ways to obt Jn 
both standard and non-standard interpretations, relying on some simple axioms to ensure that 
desirable semantic properties are satisfied. This work has a main technical contributions: to show 
how a wide class of analysis techniques developed for pure and constraint-based logic programs 
can themselves be viewed as instances of the constraint logic programming paradigm. This is 
obtained by considering a general notion of constraint systems which is weak enough to have 
general applicability and at the same time strong enough to ensure that relevant properties of the 
standard semantics construction for logic programs are preserved. 

The approximation of the meaning of programs by means of relations among the variables 
involved in the computation is a well known technique to specify a space of approximate asser¬ 
tions for program analysis [15,14]. We argue that the ability of the constraint logic programming 
paradigm to handle relations on a variety of semantic domains (e.g. real arithmetics, boolean al¬ 
gebras, etc.) allows this paradigm to be used in the field of program analysis both as a tool for the 
formal specification of abstract domains of approximate relations and for the rapid prototyping 
of static analysis systems. This approach has some interesting practical applications, such as the 
ability to compile the data-flow analysis directly to an abstract machine for constraint logic pro¬ 
grams. This approach, which is a logical extension of the “abstract compilation” scheme discussed 
in [21], removes the overhead of program interpretation incurred by keeping separate abstract and ' 
concrete interpretations, and leads to significant improvements in the speed of analysis [21,32]. 
Our approach also makes it possible to close the gap that often exists between the formalization 
of data-flow analyses in terms of abstract interpretation and the realization of efficient imple¬ 
mentations by means of appropriate data-structures and efficient algorithms. Applications of our 
framework to systematically derive efficient algorithms for data-flow analysis (e.g. by means of 
constraint propagation techniques for constraint solving) have been recently studied in [3]. 

The paper is structured as follows: in Section 2 we introduce the basic mathematical nota¬ 
tions used throughout the paper. Section 3 introduces the main results in [19], thus providing 
an incremental step-by-step algebraic specification for constraint systems and a top-down and 
a bottom-up semantics for constraint logic programs which are parametric with respect to the 
underlying constraint system. In Section 4 we consider generalized semantics for constraint lope 
programs as a framework for semantics-based analyses for constraint logic programs. An example, 
namely ground dependency analysis, is considered associating boolean constraints with standard 
equations on terms. Some results on approximating constraints by means of upper closure opera¬ 
tors on constraint systems are also pven. This approach points out how some well-known program 
analysis techniques can be obtained by evaluating an abstract program into a variation of some 
existing CLP systems, such as CLP(Bool) for ground dependency analysis; and, as shown in 
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Section 5: CLP{11)^, where a weaker notion of constraint system supporting program analysis is 
introduced. This is accomplished by focusing on two distinct applications of constraint program¬ 
ming to data-flow analysis, namely: linear relationships analysis and future redundant constraint 
analysis. They associate linear constraints with standard equations on terms and range-intervals 
with linear constraints on real numbers, respectively. Section 6 contains a survey of the most 
important related works. Section 7 concludes. 

2 Preliminaries 

Throughout the paper we will assume familiarity with the basic notions of lattice theory 
(Birkhoff’s text [6] provides the necessary background) and abstract interpretation [12,14]. In 
the following we recall some basic mathematical notations used in the next sections. 

The set of natural numbers, integers, and reals are denoted by Af, Z and K respectively. Given 
sets A and B, A\B denotes the set A where the elements in B have been removed. The powerset 
of a set 5 is denoted by (3(5). The class of finite (possibly empty) subsets of a set 5 is denoted 
p^(5). Let £ be a possibly infinite set of symbols. We denote by £* the family of finite-length 
strings (sequences) from symbols in £, including the empty string A. Sequences are typically 
denoted by (ai,...,an) or simply at,...,an for a,’s symbols in £. The length of s sequence s is 
denoted |s|. The set of objects a,- indexed on a set of symbols £ is denoted {ajigs. The set of 
n-tuples of symbols in £ is denoted £". When the length of sequences is fixed, sequences and 
tuples will be often considered equivalent notions. Let C A x A be a binary transitive relation 
on A, then the transitive closure of R is denoted by R*. Syntactic identity is denoted =. 

A partial ordering is a binary relation that is reflenve, transitive and antisymmetric. A set 
P equipped with a partial order < is said to be partially ordered, and sometimes written (P,<). 
A cAotn is a (possibly empty) subset A* of a partially ordered set P such that for all z,z' € A: 
I < i' or *' < X. Given a partially ordered set (P, <) and A C P, y € P is an upper bound for 
A iff z < y for each z € A. An upper bound y for A is the least upper bound iff for every upper 
bound y': y < y'; lower bounds and greatest lower bounds are defined dually. A complete lattice ia 
a partially ordered set L such that every subset of L has a least upper bound and a greatest lower 
bound. A complete lattice L with partial ordering <, least upper bound V, greatest lowe/ bound 
A, least element 1 = V0 = Ai, and greatest element T = A0 = Vi, is denoted (£, <, ±, T, v. A). 
Given partially ordered sets (A, <a) and {B, <b), a function f : A B is monotonic if for all 
z,z' € A : X <A x' implies /(z) <b f{x'). f is continuous iff for each non-empty chain A C A: 
/(LJy|A) = U£/(A). a function / is additive iff the previous condition are satisfied for each 
non-empty set A C A (/ is also called complete join-morphism). An upper closure operator on 
a partially ordered set (A, <) is a function p : A —* A that is idempotent, i.e., p{p{c)) = p(c); 
extensive, i.e., c < p(c); and monotonic. 

To specify function parameters in function definitions we often make use of Church’s lambda 
notation. We write f : A-* B to mean that / is a total function of A into B. Let / : A —► P be a 
mapping, for each C C A we denote by f{C) the image of C by /; {/(z) | z 6 C). Functions from 
a set to the same set are usually called operators. The identity operator Az.z is often denoted id. 
Let (X, <, X, T, V, A) be a non-empty complete lattice. Let f : L -* L he a, function. The upper 
ordinal powers of / are defined as follows: /T0(A) = A, / T o(A) = /(/ T(“ ~ 1)(-X^)) for every 
successor ordinal a; and /ta(A) = V /t^(A) for every limit ordinal a. The first limit ordinal 


^CLP(H) denote* the CLP(9t) (constraint logic ptogiams on the domain of teal nnmbets) implementation 
described in [24]. 










equipotent with the set of natural numbers is denoted by u. 

An algebraic structure [20] is a pair (C, Q) where C is a non-empty set, called the universe 
of the structure and 2 is a function ranging over a (possibly infinite non-denumerable) index 
set X such that for each t € X, Qi are finitary operations on and to elements of C. Algebraic 
structures are also denoted as (C, ^ addition to Qi operations, some special symbols 

(e.g. 0, 0,...) will be used to denote algebraic operations, including constants. With an 

abuse of notation, we will often denote distinguished elements of C as constant operations Q, on 
C. Given algebraic structures (A, and {B,Qb) with universes A and B and provided with 
a common set of basic operators Q, a (homo)morphism a from (A, Qa) to (B, Qb)^ denoted by 
• (A, 2y») (B,Qb) is a function a : A B such that: o(fA) = /a for each constant 
symbol in Q and <r(/4(ai,...,o„)) = /B(<r(ai),...,<r{an)) for each n-ary operation / in Q and 
ai—On € A. Let (A,Qx) ^<1 {B,Qb) as above. Given partially ordered sets (A, <4) and 
{B,<b)> a semimorphism is a function a : A B such that o(/x) <b fB< for each constant 
symbol / in Q, and or(/^(ai, ...,0*)) <b /b(o(oi).—. o^(on)). for each n-ary operation symbol / 
in Q. 

3 Generalized Semantics 

As defined in [23], the semantics of constraints is given in terms of an algebraic structure which 
interprets construnt formulas, while the semantics of a constraint logic program is given in terms 
of the well known fixpoint, model-theoretic and operational characterizations. In this section we 
recall some of the basic results on the generalized semantics in [19]. 

3.1 Term Systems 

A term system is an algebra of terms provided with a binary operator which realizes substitutions 
[8]. We are interested in term systems where every term depends only on a finite number of 
variables (also called finitary term systems). They represent the first basic definition in the 
semantic construction. 

Definition 3.1 [term systems [8]] 

A Icrtn system r is an algebraic structure (r,5, V) where we refer to the elements of r as r-terms 
(terms for short); V is a countable set* of r-variables (variables, for short) in r; 5 is a countable 
set of binary operations on r, indexed by V; and the following conditions are satisfied, for all 
x,y €V and t, t', f" € r: 

Ti. s^(t,x) = t, identity 

T2. «,(f, y) = y, where x^y, annihilation 

T3. Sg(t,St(y,t')) = Sg(y,f) where x ^ y, renaming 

Ta. Sx(1', Sy(t",t)) = sy(s,(f,t"), s,(t', t)) where i # y and y ind t' independent composition 

where a r-term t is independent on the T-variable x, denoted by “i ind t” , if Sx(t',t) — t for any 
i' ^ T. We say that a variable n occurs in a term t if “»(z ind t). We denote the set of variables 
occurring in a term t as var(i). I 

more geneial defiiution that considen leU of arbitrary cardisalitie* is given in [8]: for our purposes, it suffices 
to consider countable sets. 
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Intuitively, «,(<, t') denotes the operation “substitute t for every occurrence of the variable 
z in if.” For notational convenience, we often denote Sx(t,i") as [t/z]l'. This notation can be 
extended to substitutions on multiple variables. Notice that, by Tj, for each z,y € V: x ind y 
if[ X y. The condition that terms depend on a finite number of variables can be formalized by 
imposing that the dimension set [8]: 


I z € V [f/z] (' ^ f' for some f € r | 


is finite for every f & t. A renaming of a variable z in a term 1 is [y/z] t for some y x. Standard 
properties of term systems and substitutions, such as the properties of composition, can be found 
in (8). 

Example 3.1 Let £ be a finite collection of function symbols. The standard term system 
^(£,V) = (T(£, V), Sub, V) is a term system provided that substitutions in Sub perform stan¬ 
dard substitutions. In this case v ind t iff the variable v does not occur in t. O 

Notice that the substitution operators in S do not perform in general idempotent substitutions. 

Definition 3.2 

Let n be a finite collection of predicate symbols and r be a term system. A (r, n)-atom has the 
form p(ti, ...,tn) where p € H and tj € r, Vi = 1, ...,n. I 

When clear from the context, we sometimes denote by d both a tuple and a set of syntactic 
objects o (terms, atoms, etc.). In particular we denote by z a tuple (set) of distinct variables. 
Let d = (oi,...,On) and o' = (oJ,.,.,o{,) be tuples (sets) of syntactic objects. We write 6 o' to 
denote o, Oj for each i,j. 

The following example shows a non-standard instance of the term system algebraic structure. 

Example 3.3 Let £ be a finite set of symbols. Let r£ = (pf(E),S, £), where S is the family of 
basic operators s„, for o € £, such that for each Ai,A 3 € p^(S): 


s,(Ai 




(Aj \ (<r}) U Ai if <7 € Aj 
A 2 otherwise 


In this case, for each <r € E and finite set A C £: 7 tnd A iff 7 ^ A. is a term system. O 
3.2 Constraint Systems 

We pve now a formal algebraic specification for the language of constraints on a given term system. 
It allows to identify those structures which have to be considered in any non-standard semantic 
definition. The process of building constraints in any fixpoint evaluation of a pven CLP program 
is mainly based on set-union and conjunction. We want to pve an algebraic characterization of 
this process in order to provide a framework for generalized interpretations of constraint logic 
programs. 





Definition S.S (closed semirings [1]] 

A Closed Semiring is an algebraic structure (C, ®, 0,1,0) satisfying the following; 

1. (C,0,1) and (C,0,O) are monoids. 

2. 0 is commutative and idempotent. 

3. 0 is an annihilator for 0 , i.e., for every c€C,c0O = O0c = O. 

4. for any countable sequence of elements aj,..., Un, ■ ■ ■ in C: ui 0 02 0 ■ ■ ■ 0 a„ 0 ■ • • exists and 
is unique. Moreover associativity, commutativity and idempotence of 0 apply to countably 
infinite as well as to finite applications of 0. 

5. 0 is left- and right-distributive over finite and countably infinite applications of 0, i.e., 

if C = is a countable sequence of elements in C and c e C, then c0 

(0C) = 0({c 0 c' I c' € C}) and (0C) 0 c = 0({c' 0 c | c' € C}), where 0C denotes 

Ol 0 02 0 • • • 0 On 0 • • •• 


loannides and Wong show that the class of relational operators form a closed semiring [22], 
thus providing a formalization of recursion in the database context. In logic programming, closed 
semirings summarize, in an algebraic framework, all the aspects dealing with composition of terms 
like unification and set union. The idea is that of finding the (possibly infinite) set of all paths 
in the semantic construction. From a semantic viewpoint in fact, each path is a sequence of 
constraints between vertices in the proof tree. Idempotence, associativity and commutativity are 
the least set of properties necessary to aUow 0 to model, in the general context of standard as well 
as non-standard semantics, the “merging” together of information via set union. The operator 0 
corresponds to conjunction of constraints and plays the important role of collecting information 
during computation. Distributivity allows the representation of constraints as possibly infinite • 
joins of finite meets (also called simple constraints). Distributivity plays a fundamental role in 
the equivalence between the bottom-up and the top-down semantic constructions. Closure on 
countable sequences of elements in C is necessary to admit constraints that are infinite joins of 
constraints (this is important in the fixpoint semantic development). A weaker structure, namely 
a non-distributive closed semiring, will be considered in Section 5. 

A semantic definition necessarily implies some notion of “observable behavior": programs that 
have the same semantics are considered to not be observably different. Modeling the semantics 
of constraint logic programs in terms of answer constraints corresponds to considering answer 
constraints as the appropriate observable property [16]. Thus, the notion of solution for a given 
answer constraint has to be restricted (projected) to the variables of the corresponding query 
(output variables). Qosed semirings are too weak to capture the notion of variable projection. 
We handle this notion by -reans of a family of “hiding” operators on the underlying algebra, as in 
[31]. Cylindric algebras, formed by enhancing Boolean algebras with a family of unary operations 
called cylindrifications [20], provide a suitable framework for this. The intuition here is that given 
a constraint c, the cylindrification operation 3s(c) yields the constraint obtained by “projecting 
out” information about the variables in S from c. Diagonal elements [20] are considered as a way 
to provide parameter passing [31]. In constraint logic programming the equality symbol “=” is 
assumed to provide term unification in any constraint system. However, cylindric algebras, which 





are oriented to first-order languages without function symbols, are not adequate as an algebraic 
semantic framework for general constraint logic programs, so we extend diagonal elements to deal 
with generic terms, following the approach in [ 8 ]. Finally, for each variable z and term t, a unary 
operator extends the substitution operation to idempotent substitutions on constraints. 

Definition S.4 [constraint systems] 

A constraint system A is an algebraic structure (C, 0 ,0,1,0,3^, dj^, dt,t>){x)^cv,t,t'€r where C is 
a set of ^-constraints generated by a given set of atomic constraints, and is called the universe of 
A; V is a countable set of variables; r is a term system; 0 , 1 , dt^ distinct (atomic) elements of 
C, for each t,t' & r; ^d {^}x€V';(eT unary operations on C the latter being defined 

for X ind t; 0,0 are binary operations on C; such that the following postulates are satisfied for 
any c.c' € C; A, # C V and t,i',t" € r: 

Ri. the structure (C, 0 , 0 , 1 , 0 ) is a closed semiring; 

Cl- c0 3/xc = 3 ac; 

0 3ac^) = 3a(3ac 0 c*) = 3ac 0 B^c^; 

Ci- 3a3*c = 3(Au*)<:'t 

Ci. 3^ distributes over finite and countably infinite joins; 

Di. dt,t ~ 1; 

^a- ^{s)dx,t = 1; 

^ 3 - dt,t> = dt>,t’, 

Si- dl(e) = 3{x}(d,,t 0 c); 

Si- dl.{dt',t«) = dp/,], 

S3. 9*(c 0 4 ^) = die 0 die'. 


With an abuse of notation, when clear from the context, we denote 5* (c) as [t/ 1 ] c. The 
meaning of cylindrification is given by the axioms from Ci to C 4 , while diagonal elements and 
substitutions are specified by the axioms from Di to 53 - Notice that Axiom S\ and S2 relate 
the notion of substitution in the term system r with diagonal elements of C (which intuitively 
correspond to the notion of equality constraints) in the expected way. Recursively, a simple 
constraint is any atomic constraint, or the cylindrification (substitution) of a simple constraint, or 
a finite conjunction (meet) of simple constraints. The notions of “independence” and “occurrence” 
of variables extend in the obvious way from terms in r to constraints in C. Let c € C and z € V; 
z ind c iff = c for any ter such that x ind t. A variable z is bound in c iff it is existentially 
quantified in c. A variable z is free in c iff z € var{e) and z is not bound in c. The set of free 
variables in a constraint c is denoted by FV’(c). A renaming of c with respect to z is the constraint 
dj>c such that x ^ y. It is renamed apart if also y ind c. Let {zi, ...,Zn} C V, in the following 
we will denote 3„,(e)\{,,....^,}C, i.e. hiding from all the variable in c except {zi,...,z„}, as 
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often omit brackets in cylindrifications on sets of variables. We also denote by 

d(i,..«;) element ® ... ® where .t'„ € r, and denote A an 

arbitrary constraint system (C,®, 0 ,l,O,BA,^,d(,t>){x}^gV;M'€r- <^i ^ <^2 denotes the relation 
Cl 0 C 3 = C 3 , for ci,C 3 € C. C is partially ordered by and forms a complete lattice. 

A number of important properties are shared by constraint systems. In particular, for each 
^ 3a defines an additive upper closure operator on C^, while the substitution operator on 
constraints defines an additive retraction on C*. Notice that the substitution is not, in general, 
extensive. Moreover, if x is bound in c then x ind e, and if c is a renaming apart of c' with 
respect to z, then z ind c; and if A ind c then 3 a(<^ 0 = c ® B^c'. An important property on 

the relation between cylindrification and renaming (with fresh variables) allows us to extend the 
standud approach to the semantic construction of logic programs to constraint-based programs: 
c ® B{x}C = B^y)(c ® c') where y ind c,c^,y ^ x and c* = fl*c'. 

Example 3.3 [CLPiH)] Let £ = {a,h,...,/,p,...} be a finite collection of function symbols. 
Atomic constraints are (one-sorted) equations on the term system (see Example 3.1). The 
Herbrand constraint system A-h, is the quotient algebra 

(p(f^w), A, U, true, false, 3x, dl,{t = t'}){r),xct',t.<'€T,£.v,/~c«. 


where: 

• Sfi is the set of any finite conjunctions of equations over 

• W is intended to represent the Herbrand interpretation structure, interpreting diagonal 
elements as unification [23]. A solution d for a possibly quantified finite conjunction (set) of 
equations 3xE = Bx(si = ti,...,s„ = is a grounding substitution for the free variables 
in E such that there exists a grounding substitution for the bounded variables X: o, and 
si<7^ s tioi ,..., s„<rtf = t„<rd. E9 denotes that ^ is a solution for E ®. We extend 
this definition to deal with possibly infinite joins: 0 is a solution for E, iff there exists 

i € / such that 0 is a solution for £,^. 

• B is the existential quantification which is assumed to be distributive (as well as conjunction) 

over arbitrary joins: if Jf C V, is a solution for 3x( U Ei) iff 0 is a solution for BxE. for 

•e/ 

some t € I- 

• For each Ci = .U Ei and cj = ,U £■ denoting possibly infinite joins of (finite) quantified 

»€/i *6/2 

sets of atomic constraints (equations) £, and £,': 

c, ^eq C3 iff , { d I W N } = .gU { d I W h } . 

* Ab apper cloture operator p ob a partuli'’ ordered eet (A, <) is » moBotoBic, ideaipoteBt ud ezteBsive (i.e. 
p(x) > s) operator. 

* A relrsction ob a partially ordered set (A, <) is so operator g th** ■ idempoteot aod moaotoaic. 

*Tlus correspoads to the iatnitive aotioa; *a eolation assigas valnes to the free variables of the constraint in such 
a way that there exists an assignment to the existentiany qaaatilied variables such that the constraint is validated” 

11 ® 1 - . . 
*Thas, in order to handle pooibly infinite disjanctions of (finite) seta of eqnatioBS, we interpret disjanction as 








• true denotes any constraint having every grounding substitution as a solution while false 
denotes any constraint having an empty set of solutions. 

• d^, for z not occurring in (, performs idempotent substitutions on constraints, by extending 
in the obvious way the term substitution notion to constraints. 





Example S.4 [C1P(7J,)] This example formalizes CLPiK) as an instance of our framework. In 
the following x = (zi...z„) is a vector (point) in li* and Xi is its i-th element. A hyperplane is the 
set of points £ € If" satisfying alXl■^■...+a^x^ — b, with not all a’s equal to zero. Any hyperplane 
defines two haifspaces in the obvious way. A convex polyhedron is the (possibly unbounded) set 
of points constituting the intersection of a finite number of halfspaces. Let c be a polyhedron of 
dimension n, and HS be a halfspace defined by a hyperplane H. If / = c D HS C H then / is 
called a face of P. A facet is a face of dimension n — 1. For any finite n, the constraint system 
of n-dimension linear constraints (the non-linear case is a straightforward extension), denoted 
by Tin, is: (P,n,U,S",0,d*,3^,(1! = where = {zi,...,Zn} is a set 

of n variables, tex^ is a term system of linear expressions on V„ (a formalization of texj, is in 
Section 5.1) and P is the set of all space regions in If" defined as possibly infinite unions of convex 
polyhedra (each constraint c € P can be represented as a possibly infinite set of finite conjunctions 
of linear equations and disequations on V„). The variable restriction operation 3 is performed by 
cylindrification parallel to an axis (20): if c is a constraint in If" and i < n, we define; 

3z,c = I y € if" I yj ^ Xj for X £ e and j ^ i |. 

B^jC is the cylinder generated by moving the point set c parallel to the Zi axis. For any two linear 
expressions t,f £ tezj, and R £ {=, >, <, >, <} we define: 


[tRf] = 


?£ If" 


e = (ci,...,«„), 
Sgt R figt' 


The substitution operator is: ^ = Ac.3{s)([z = (] n c). Py, is a constraint system. 


O 


3.3 Operatioiud Semantics 

Constraint logic programming was defined by Jaffar and Lassez to specify relations on a constraint 
language by means of constraint-based Horn clauses. We follow the approach in [19] by defining 
Hom-like clauses on const S i ’ systems. Construnt lope programs are defined in the usual way: 
let .4 be a constraint sys ue term system r and 11 be a finite set of predicate symbols. An 

A-goal is a formula c □ with n > 0, where c is a simple ^t-constraint and Pi,..., Bn is 

a sequence of (T,n)-atom.s u A~clause is a formula of the form 'H c □ B\,...,Bn where 
H (the head) is a (r,n)-atom and c □ B\,...,Bn (the body) is an 4-goal. If the body is empty, 
the clause is a unit clause. A (generalized) constraint logic program, also called 4-program, is a 
finite set of clauses. For notational simplidty, we wiQ sometimes omit the superscript from the 
various semantic functions where the constraint system under consideration is obvious from the 
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context. The family of .4-programs is denoted by CLP(A). Finally, the renamings of variables in 
constraints and terms extend their meaning in the obvious way to any syntactic object (atoms, 
goals, clauses, programs etc.); as well as the notion of independence. 

Let ,4 be a constraint system and P € CLP{A). Define ~^p (an A-derivation step) to be the 
least relation on .4-goals such that G G' iff 

• G = Co Q Pl(<l),...,Pn(fn)i 

• there exists a renamed version of a clause in P: Pt(ii) ■— C] □ fii, such that 
var(G)n var(Bi U £]) = 0, 

• G' = co0 0 3(Cl)e,U«i,(fi,) ° Pl.P2(<j), -,l»n(<n). 

An .4-derivation from an 4-goal G is a finite or infinite sequence of 4-goals such that every goal is 
obtained from the previous one by means of a single 4-derivation step. A successful derivation is a 
finite sequence whose last element has an empty body. The operational semantics is then defined 
in terms of the success set, namely the set of successful computations specified by the transitive 
closure of the transition relation on atomic 4-goals, where e denotes the empty sequence of goals: 

= { P(*) 03(c),| 1 □ p(i)'«J, c O £ }. 

The top-down semantics, defined by the previous transition system, characterizes the descendant 
(partial) constraints of the initial goal. This semantics provides information about call-patterns 
regardless of whether they succeed, finitely fail or do not terminate. 

Goal dependent success set semantics is defined in terms of a function Jp that yields the 
computed answer constraint for any 4-goal, such that Jp{G) ~ ®{3(c)„,(o) | G ^J> c D }. The 
following lemma proves the AND-compositionality for the operational semantics of constraint 
logic programs. 

Theorem 3.1 ([19]) 

Let G = Co D P\{i\),...,Pn{in) he an A-goal and P € CLP{A). Jp(G) = c iff there ex¬ 
ist Pi{xi) Ci € 0^(P), such that Xi ind G and ij ^ xj for 1 < i,j < n, i ^ j; and 
c = 3(co 0 d*, j, 0 ci... 0 d*,.,-, 0 c„),;,,(G)- 

Since a constraint system can be non-meet-commutative, it is straightforward to notice that 
the independence on the selection rule does not hold in general in these semantic characterizations. 
For this reason we have assumed a left-to-right selection rule. 

3.4 Fixpoint Semantics 

In this section we define a fixpoint bottom-up semantics which is proved to be equivalent to the 
operational semantics. We allow constrained atoms into the base of interpretations as suggested 
in [17]. Each constrained atom ‘p(z) c’ represents the set of instances p(z)t9, where d is a 
solution of the constraint c. We assume FV{c) C tNir(4). 

It can be shown that the unfolding of a clause is independent on the variable names used in 
constrained atoms. This can be expressed in the semantics by a relation 'N' that captures the 
notion of equivalence upto renaming on constrained atoms; 
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Deflnitioii S.5 

Let 0*^ be the set of constrained ntoms of a constraint system A. Define the binary relation 
on 0"^ as fdlows: given 4i s ‘p(*i) Ci’ and Aj s ‘jK* 2 ) cj’ in B-*, Ai A 2 'd and only 
if there exist “renaming apart” variables z', i.e. such that z' ^ i\ and z' ^ Z 2 (z' ind C], cj); and 
^g^el s The A-baae of interpretations is 0^/~. I 

In the remainder of the paper we will be concerned primarily with the quotient structure 
0'^/~, and for notational simplicity, denote this by 0^. Moreover, given a syntactic object o, 
we denote by p(z) c <« / *■ constrained atom p(z) c such that [p(z) c]^ € / and 

z tnd o. We extend this to specify tuples of renauned apart syntactic objects. 

Just as 0 expresses the notion of “merging together” the information present in two con¬ 
straints, the operator U captures the notion of merging together the information present in two 
sets of constrained atoms; i.e. the operator U : p(0) x p(0) —> (3(0) is defined as follows: 

/i U /2 = {Ip(z) 0 1 p(z') c* <2 /i U/ 2 }]-.} for any p(B). 

The relation C, expressing the notion of a set of constrmned atoms containing less information 
than another, is defined as follows: for any /i ,/2 € p(0),/i C Ij iff /j u /2 = I 3 . 

Definition S.6 

The set of A~interpretations ^ C p^B"^) is the collection of sets of constrained atoms I such 
that / €O^iff/U0 = 0U/ = /. I 

(9^, C) is a complete lattice. Let p(z) : - Cj be elements of /, for some fixed (possibly 

infinite) set of indexes W. For each j € W, Cj represents the set of admissible (i.e., computable in 
the program) solutions for the predicate symbol p, on the variables z. As the set of indexes W can 
be infinite, infinite joins of constraints are allowed in constrained atoms. This “closure” property 
is modeled by the closure of C on infinite joins, as assumed in any constraint system. Notice 
that it cannot be specified by first-order formulas. The fixpoint semantics of a program P over a 
constraint system A, P'*{P), is defined in terms of a continuous immediate consequence operator 
in the style of [33], i.€. P'^{P) - Ifpijp) = Tp‘\ u{9), where the mapping Tp : ^ 9^, is 

defined as follows: 



’ 

C : p(t) c 0 pi(f,),...,p„(t„),n > 0, 

z ind C and for each i — l...n : 

rA/)= U ' 

ceP 

[p(z) 3(c),]^ 

p,(z<) c< if X 

cJ = rfz.A®c.. 

c = 0 c ® cJ ® ... 0 cJ, 


The fixpmnt semantics construction requires, potentially, only a finite set of variables. This 
fdlows from the elementary properties of cylindrification with respect to substitution. Intuitively, 
the hiding allows to define “local environments” which cannot be influenced by substitution. As a 
consequence, any hidden variable in each of the c, can be (re)nsed outside the scope of the hiding, 
thus making applicable renamings by means of the same variables. The number of variables 
needed to compute the semantics depends from the program structure. 
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Example 3.5 Consider the following program over the Herbrand constraint system: 


jK*) i = Q. 

p(*) x = W»jDp(y). 

The fixpoint computation for Tp returns the following interpretation for p (we denote by , and ; 
conjunction and disjunction (set-union) of constraints); 

p(i) i = Q; 

3*.,^(z = [fc|yl,y = i',i' = Q); 

3fc.v^(z = (fc|»],v = i",3k.,^(i" = (A|y],y = x‘,x' = Q)); 

/ * = !%].»= z', 

3a.».x' 3 ( z' = (A|y),y-^i'', 

V ‘•''’'''V3vs.x'(z'' = (/.|yl.y=z'.x' = n) 

etc.... 

The set of variables needed to compute the fixpoint is [x,x',x",h,y). O 

The following result states the equivalence between the operational and the fixpoint semantics, 
for any constraint system A- We need that V is a denumerable set of variables. 

Theorem 3.2 ([10]) 

Let A be a constraint system and P € CLP(A), then T(P) = 0(P)l'^. 

4 Abstract Constraint Systems 

The definition of an abstract constraint system, which specifies a non-standard semantics for a 
constraint programming language, is performed in two steps: term abstraction and constraint 
abstraction. In the first step new syntactic objects are introduced to represent concrete terms. In > 
the second one, constraints on the abstracted term system are defined. 

In general, a constraint system is an interpretation (in a closed semiring) for constraint formu¬ 
las. To relate constraint systems, we follow the approach to “static semantics correctness” in [5]. 
Correctness of non-standard semantic specifications can be handled in an algebraic way through 
the notion of morphism. However, the algebraic notion of morphism can be made less restrictive 
by assuming that the carriers of the algebras involved are partially ordered sets. We use a weaker 
notion of morphism between algebraic structures, capturing the approximation possibly induced 
by abstract interpretations or by any approximate semantics defined in the framework. 

A morphism of term systems, k : r r', is a function mapping terms of r to terms 
of t' such that € r and * € V: K(Sx((i,t 2 )) = «!,(x)('«(fi)»'t(f 2 )), where s and s' 

are the substitution operators in r and r' respectively. Let A and A' be constraint systems 
{A' = (C',0',©',l',O',3'^,ai*,d;,.,,){,}.Agv':t,«,.j,€T')'>« constraint systems. There exists a semi¬ 
morphism o : A A' iff there exists a morphism of term systems k ; r r' such that for 
each c,ci,ca € C, C C C, {z},A £ V and t,ti ,<2 € r such that x ind f, the following hold: 

a(0) = O' 

0(1) <'l' 



- 164 - 







o(®C)<'®'q(C) 
o(3ac) <' 

at(ci ® cj) <'o(ci) ®'a(cj) 



Semimorphums of constraint systems will be often denoted as o^. Notice that a(^c)<'d^“^*j*o(c). 
Definition 4.1 

Let A and A' be constraint systems with universes C and C* and term systems r and r" respectively. 

A' is correct with respect to iff there exists a semimorphism ot, (k : r r' and o : A A') 
which is a surjective and additive mapping of (C,<) into (C, <'). I 

Additivity and surjectivity allow the semimorphism to associate the “best” approximating 
constraint in A' with any concrete constraint in A. As usual, this is captured by the notion of 
GaUna insertion, as specified by the following, where a pair of functions (0,7) is a Galois insertion 
of (C', <') into (C,<) iff a and 7 are monotonic, a(7(c^)) = c' and c < 7 (q(c)) for each e 6 C and 
c' € C' [12,14]. If A' is correct with respect to A by means of a semimorphism a„, there exists a 
Gal<MS insertion of (C\ ^') into (C, <). 

In the framework of abstract interpretation, correctness of fixpoint approximations require 
in addition some conditions on correctness of the non>standard semantics operators [12]. With 
the assumption of additivity, semimorphisms are adequate to specify both Galois insertions, and 
correctness of constraint systems. Let A' be a constraint system which is correct with respect 
to A, by means of a semimorphism o«. Let P = he a program in CLP(A). The 

corresponding program on is a set of clauses such that for each t = l,...,m if 

Ci = p(«) c □ Pi(ti),..Mj*»(<n) then C- = !»(«(*)) =“ «(c) ° . Pn(K(in)) where 

ic extends in the obvious way on tuples of terms. The fidlowing theorem relates the semantics of 
a program with the (non-standard) semantics of the corresponding program defined on a correct ^ 
constraint system. 

Theorem 4.1 

Let P £ CLP{A) and F € CLP{A') be the corresponding program on A'. Assume A’ be correct 
teith respect to A. There exists SH' such that ^{P^{P)) C' (F). 

Given a (fixpoint) concrete semantics, data-flow analysis usually requires computing the limit 
of Kleene chains. Convergence to the least fixpoint can mther be obtained by forcing the abstract 
domain to satisfy the ascending chain condition ot to use widening and narrowing operators to 
accelerate convergence for fixpmnt approximations, as suggested in [12]. In the following we con¬ 
sider the conditions on the constnunt system that ensure the resulting abstract domain to satisfy 
the ascending chain condition. We introduce the ascending chain condition on constraint systems 
and we show how this condition ensures finiteness in fixpoint computations. This approach is 
more related with the constraint system structure than the widening/narrowing one, which is in 
tom more related with the fixpoint computation. 

A set of constraints {ci,..., Cn,..} is said to be free-variable bounded iff there exists a finite set 
of variables V such that /T(c,) C V for each » > 1. The following definition is important for 
abstract interpretation purposes: 
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D«flmtion 4.2 

A constraint system A is Noetherian iff its universe C does not contain any infinite chain of 
free-variable bounded constraints. I 

The free-variable-boundedness condition here is crucial, for otherwise any constraint system with 
a denumerable set of variables is not Noetherian. To see this, consider the constraints c, = 

V • ■ • V Xi: the set of constraints {ci | t > 1}, ordered by entailment, forms an infinite 
ascending chain even on a two-valued boolean interpretation. However, it is easy to see that 
this set is not free-variable-bounded. Given a Noetherian constraint system A, the domain is 
Noetherian, and can be computed by iterating Tp a finite number of times. 

Different semantic characterizations lead to different abstract evaluation strategies. Top-dotm 
abstract interpretation corresponds to the abstraction of the standard operational semantics. 
Bottom-up abstract interpretation instead allows to compute a finite abstract approximation of 
the fixpoint semantics associated with a ^ven constraint logic program. Goal-independence is an 
attractive feature of bottom-up evaluations. Global program analysis, especially useful in type 
inference, can then be specified as a bottom-up evaluation in a suitable constraint system. In the 
following we will concentrate on bottom-up (fixpoint-based) abstract interpretations only. This 
because the possibility of using only a finite set of variables on which renamings are performed is 
attractive for proving that a constraint system is Noetherian (see for instance Section 5.1). 

We illustrate the previous idea by means of a simple example of data-flow analysis for ground 
dependences ia pure logic programs [4,11]. 

Consider the (concrete) term system rjj vj being defined over a finite set of variables V. Let 
us consider the term system ry as defined in Example 3.2. Terms are finite sets of variables. 
Ground terms are denoted with the empty set of variables. It is straightforward to notice that 
var is a morphism of term systems. 

Marriott and Snndergaard have proposed an elegant domain, named Prop, to represent 
ground dependences among arguments in atoms. This domain can be expressed as an instance 
of our framework using the algebra of propositional formulas with disjunction. Let Aprop = 
(Propv, A, V,true,/ol3e,3x,3‘,A(t) « A(t')){,).xcV;w'€rvu{») ^ algebra of possibly exis¬ 
tentially quantified disjunctions of formulas, defined on the term system ry, by the connectives 
A and where, for each finite set of variables (zi, ...,Zto} € ry: A({xi,..., z„}) = zi A ... A x„, 
and A(0) = true. 

Intuitively, the formula zAyAz u; A v represents an equation < = t' where t;ar(<) = {z,y, z} 
and rar(t') = {ti 7 ,r}; z A y represents a term whose groundness depends upon variables z and 
y; while z V y represents a set of terms whose groundness depends upon variables z or y. Local 
variables are hidden by existential quantification, projecting away non-global variables in the 
computation. Since z «-» true is equivalent to z, a variable z instantiated with ground term is 
denoted z (i.e. the expression z denotes that z is rifpd). Substitution is defined in the obvious 
way. It is easy to prove that, because of the finiteness of V, Aprop/ is a finite (and then 
noetherian) constraint system. 

We associate with each equational constraint in a boolean expression specifying ground¬ 
ness relationships among variables in predicates. The following example shows this technique. 

Example 4.1 Consider the following program to reverse a list: 


# 














f«6- 




iir«v(D, □). 

iir«v(CH|L]. R) nr«v(L. LI), i^tpandCLl. [H]. R). 


•pp«nd(D. L, L). 

^n>«id(CH|Y]. X2. [HIZ]} ^p«nd(Y. X2. Z). 
The comeponding Prop program for groundneas analyris is: 


niw(xi,X3) X1AX3. 

nree(xi,xa)xt (h A<) □ nrev(l,rl),append{ri,h,r). 


append(xi,X},X3) xi Axj <-♦ X3. 

append(xi,X],X3) xi (h A y) A X3 (h A x) □ append(y,X2,z). 

The reader may verify that the abstract semantics for append and nrev can be derived by eval¬ 
uating the :n'jdified program in CLP{ApTop) (which corresponds to the standard CLP{Bool)). 
They are given by: 

{ append(xi,X3,X3) X3 « (xi Axj)}; and 
{ nrev(xi,X2) : - xi *-♦ xj} . 

which correspond precisely with the behavious of the program with respect to groundness: in 
append the third argument is ground iff the first two is ground, while in nrev the first argument 
is ground iff the second is ground. O 

4.1 The Approximation Operator on Constraint Systems 

The space of approximate constr^ts can be spedfied using upper closure operators, which formal¬ 
ize the idea of approximation (14]. Idempotence can be interpreted as the fact that all information 
is lost at once in the abstraction process; extensivity captures the essence of approximation as 
weakening, while monotonicity of the closure states that approximation is order preserving. 

In the following we introduce the basic properties of upper closure operators on a constraint 
system. These properties allow the resulting algebraic structure to be a constraint system as well. 
The foOowing results extend the classical ones on closure operators [14] to constraint systems. 
In particular we characterize the approximation induced when behaves as a morphism of 
constraint systems. Following this approach, we can extend most of the well known techniques 
for abstract domain specification to constraint systems. 

Definition 4.3 

Let A be a constraint system with universe C. A compatible upper closure operator p on A is an 
upper closure operator on (C, <) satisfying the following properties: for each c,c' € C: 

1. p(3ac) = 3AP{3nc); (3-quasi closure) 

2. p(c® c') = /KaKc)® P(c'))- (®-quasi morphism) 

I 












Since a compatible upper closure operator is a closure operator, it maps each constraint to 
one that approximates it. In addition, 0 -quasi morphism relates meets of abstract constraints 
with meets of concrete constraints (recall that an upper closure operator is also a quasi-complete 
join-morphism, namely for each D CC, ^(©cexjCi = p{®c€D Finally, the 3-quasi closure 

property ensures that the approximation of a constraint which is hidden on a set of variables, is 
still hidden on the same set of variables. From this condition we can prove that p satisfies the 3 
and d-quasi morphism condition (i.e. p(3ac) = p{^ii,p(c)) and p(fljc) = p(dlp(c)), for each c eC, 
{z}, A C V and t ^ r such that z ind t) and that p o 3^ is an upper closure operator. 

Notice that 3^ o p is not idempotent, unless 3^ and p commute. This is in accordance with 
a classical result of closure theory saying that any composition of two upper closure operators is 
an upper closure operator iff they commute [30]. 

Let A = (C,®, 0 , Le a constraint system and p be a compat¬ 

ible upper closure operator on A. We define: 

where p(C) = {c € C 1 c = p{c)}, for each c,ci,cj € p(C), {*}. A C V and t € r such that z ind t: 
ci©cj = p(ci © cj), ci®cj = p(ci ® cj), 3 ac = p(3ac) and die = p(dlc). 

Theorem 4.2 

Let p be a compatible upper closure operator on the constraint system A. p{A) is a constraint 
system. 


Example 4.2 Cylindrifications are monotonic operators, while idempotence and extensivity are 
specified by axioms C 4 and C\ respectively. Moreover, cylindrifications commute thus, if A and ® 
are sets of variables and c is a constraint: 3A3e3^c — 3^3ec. However, for each set of variables 
A: 3^, is not a compatible upper closure operator on the constraint system because it does not 
satisfy the ®-quasi morphism condition (see Axiom C]). O 


By ®/©-quasi morphism, p(A) is correct with respect to A by means of the morphism pa- 

As observed in [14], any Galois insertion ( 0 , 7 ) defines an upper closure operator p = 7 o a on 
the corresponding (concrete) complete lattice. 

Corollary 4.3 

Let A“ be a constraint system which is correct with respect to a constraint system A by means of 
a surjective and additive morphism q*. Let 7 = Ac®. © {c ] a(c) <® c“} and p = 7 o a. p{C) is 
isomorphic toC’^. 


Let >4 be a constraint system and A® be correct with respect to A by means of a surjective 
and additive morphism o*. Let 7 = Ac®. © {c j q(c) <® c®} and p = 7 o a. 

Theorem 4.4 

Let A C V and c,ci,C 2 € C. Then 3AP(3ac) = p(3ac) and p(p(ci) ® picj)) = p(ci ® cj). 


3 ) 
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In the following we study some sufficient conditions on A and a« to let the interpretation of 0 , 
3 and d operators be not affected by the closure p = 7 o a (i.e. the closure becomes a morphism 
of 0 , 3 and d). 

Theorem 4.5 

Ci,C 3 € C: p(ci) 0 p{c 2 ) < fi(ci 0 C 3 ). If A is ®~idtmpotent and 1 is the annihilator for 0 , 
then p(ci 0 C 2 ) = p{ci) 0 p(c 2 ). 

The following theorem gives a sufficient condition on A* such that the composition of 3 and 
p is a closure (i.e. 3 and p commute). 

Theorem 4.6 

Let e,c' € C and A C V. 3^p(c) < p(3^c). If a(3^c) = q(3^c') => o(c) = o(c'), then 
P(3 ac) = 3ap(c) 

Notice that the previous condition: o:(3/^c) = a(3^c') ^ a(c) = a(c') stale the injectivity 
of cylindrification in the abstract constraint system. 

Theorem 4.7 

Let A he a constraint system and p be an upper closure operator on C which commutes with 3, it 
is a ®~morphism and for each t,t' € r: p(dt,t‘) = dt,t>- Then d^p(c) = p(dlc). 

We finally give a representation result for abstract constraint systems. Recall that given a 
partially ordered set (P, <), S C P is conuei iff for each c,c" ^ S, c' € P such that c < c' < c" 
then </ € 5. It turns out that any (compatible) upper closure approximation of a constraint 
system defines a partition of the universe of constraints into convex sets of constraints: 

Proposition 4.8 

Let A be a constraint system and p be an upper closure operator on its universe of constraints C 
For each c £C the set c** = {o' € C | p(c) = p(c')} is convex. 

As a consequence, the closure of a constraint system A under a given upper closure operator 
p (i.e. p(A)) is the algebraic structure of ‘‘abstract” constraints each representing a convex space 
of “concrete” solutions. The axioms for compatible closure operators (i.e. axioms 1 and 2) ensure 
that f^A) is a constraint system. 

5 Non-distributive Analysis 

Our framework is not appropriate to formalize an interesting class of constraint systems which 
are proved to be useful for program analysis (e.g. see linear relationships analysis below). 

Let us consider a (possibly non-compatible) upper closure operator. For the family of con¬ 
straint systems where 0 is idempotent and commutative, and 1 is annihilator for 0, any meet 
of closed constraints is still closed, i.e., p(ci) 0 p(c 2 ) = p(p(ri) 0 p{<^ 2 ))- Thus, any compatible 
upper closure operator is a 0 morphism (see Theorem 4.5). This assumption is too strong for 
a wide class of closure operators useful in program analysis. For any upper closure operator p: 
p{c\ 0 C 2 ) < p(ci) 0 /»(c 2 )- The converse does not hold in general. In the following we will consider 
0 -idempotent and commutative constrain' systems where 1 is annihilator for 0 . 





# 








• • 




• • 








Definition S.l 

A weakly compatible upper closure operator on a constraint system A, with universe of constraints 
C, is an upper closure operator on C such that: p(0) = 0, p(dtx) = p o = 3 ^ o p, for 

any term t,t' and set of variables A. I 





Theorem S.l 

Let A = 0.1.0,3^1^.dti,jj){x),A£V;i,n.«a€T ^ ® constniint system and p be a ureakly com- 

patible upper closure operator on A. p(A) = (^C),®,0,1,0,3A,5i,d,ACVK.ji.iaer 
0 = AC.p( 0 C), is a non-distributive constraint system. 


Assume a constraint system A where the axiom of distributivity is replaced by the weaker 
relation: c® (cj 0 C 2 ) > (c® ci )0 (c® cj). Distributivity has been assumed to prove the equiva¬ 
lence results between fixpoint and operational semantics. The second one in fact is a kind of “all 
solutions” semantics, where the join is taken at the end of all the possible computations, while 
in the fixpoint case, the semantic construction applies the join operator at each partial compu¬ 
tation step (an equivalent operational semantics can be easily defined: this would correspond to 
the bottom-up execution strategy of deductive databases rather than the standard operational 
interpretation of logic programs [28]). In this case, as the constraint system is not distributive any 
more, we can only have a further approximation level by applying bottom-up instead of top-down, 
i.e. 0(P) C P(P)- In the following we study this class of constraint systems by means of an 
example. 


Example 5.1 The problem of future redundant constraints in CLP{Tl) has been studied in the 
context of compiler optimization |25]. Intuitively, a constrmnt in a clause is future redundant if, 
after testing the constraint for satisfiability, adding or not the constraint to the current computed 
constraint (also named store) does not contribute to the answer constraint. This because, in 
the computation, stronger constraints are added to the store. This information can be used for 
a variety of optimizations [25]. In this example we sketch a formalization of this analysis as a 
non-standard CLP computation using a sUghtly different notion of redundancy. Consider the 
constraint system of Example 3.4. Let P € CLP{'R.„) and p be some extensive operator 
on 7l„ (upper closure operators are appropriate to this purpose). Assume p be a predicate 
symbol defined in P and let C — p(i) :- c n c' O B € Pbea clause defining p. Let P' = 
(P\{C})U{p(t) o'OB). II p{x) c^isin P{P'),i.e.,c^ is the answer constraint for p in 
the modified program, Cp n c ^ 0 (i.e. Cp A c is solvable) and for each convex polyhedron c e Cp: 
p(c) C c (i.e. c is weaker than p(c)), then c is future redundant in C. To prove this claim we just 
note that by p-extensivity, for each constrmnt c: c C p(c). 

A suitable choice of an extensive operator on is provided by approximating any convex 
polyhedron with a hypercube, which is a polyhedron whose facets are parallel to the axes (similar 
techniques have been used for static array bound checking [12]). For any set of polyhedra ceV, 
define box{c) as the least hypercube containing c. box is clearly an upper closure operator on 
the domain of convex polyhedras ordered by set inclusion. To provide parameter passing, we 
aDow diagonal elements in the abstract domain of constraints. The approximation of diagonal 
elements by their least hypercubes should correspond in fact to associate the whole space region 
If" with each equation, thus making the parameter passing useless. Thus, if c is a hyperplane, 
box(c) = c. Moreover box{9) = 0 and for each 6 C box{3^c) = 3Ahoar(c) (i.e. Xx.box{x) is 
weakly compatible). 
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The universe of abstract constraints box(V) contains hypercubes and hyperplanes as con¬ 
straints. Thus, future redundant constraints can be handled in the simpler non-distributive ab¬ 
stract constraint system hox{‘R.n)- Since hox(7Zn) is not Noetherian, termination conditions, such 
as the widening/narrowing techniques proposed in [12], have to be applied in the abstract iixpoint 
evaluations. 

Better results can be obtained by keeping separated the answers for each clause in the program, 
with a less abstract semantic construction. 

Recently, several studies have been devoted to ‘‘implement” interval arithmetics in the con¬ 
straint logic programming paradigm. In [2] bounding box spatial approximations in constraint 
logic programs over finite domains are specified as an instance of our framework. In [27], the use 
of intervals has been presented to absorbe floating-point errors in CLP{Tl) computations. They 
present an implementation based on a meta-interpreter executed by an existing CLP(1Z) system 
[24]. Both of these approaches can be used for future redundant constraint detection. O 

5.1 Linear Relationships Analysis 

In this section we study the applicability of non-distributive constraint systems by modifying 
the ground dependency analysis technique to cope with linear relationships among predicate’s 
arguments in CLPCH). 

A number of data-flow analyses in imperative languages are included in the determination of 
linear relations among variables, like compile-time overflow, integer subrange and array bound 
checking [15]. A very useful analysis on the relationships among variables of a program can be 
specified in our framework by Unear relationships analysis [15,26,18,34], which provides useful 
information for proving termination, compile-time overflow, mutual exclusion, program debug¬ 
ging etc. The problem of discovering linear equality relations by abstract interpretation in logic 
programs has been studied in [34]. 

The automatic derivation technique in [34] for linear size relations among variables in logic 
programs can be suitably specified as a constraint computation. In the following we will show 
how this technique can be viewed as an instance of our framework, thus making explicit the 
strong relation between automatic detection of linear relationships among variables and CLP(Tl) 
computations. 

Let be defined as in Example 3.1, over a finite set of variables V. Let |..|( be a (semi- 
linear) norm ([7]) on the term system T-(ry)^- We define a term system of linear expres¬ 
sions where terms are first order terms in the language {-f,0,1,V} (i.e. terms in 
Substitutions are performed as standard substitutions. In the following we represent the term 
A’-l-A’-fy-|-l-H-flas2A’-l-y-b3. is a term system. 

The mapping Exp^ : T^E,v) -* texp associates a linear expression with each terms in as 

follows [34]: 

norm | ■ | in tnid to be nemiVineor if it is of the form 

I f 0 if I in a variable 

« + if < = /(*!.«■), where e > 0 and IV C (l.....n). 








i t if t is a variable 

co+ D ExpAf{t)) otherwise 

/€F. 

Example 5.2 With length and size norms: 

l<|/«np<A = 0 if f is a variable, 

|f|<en0tA = 0 if 1 = [], 

|f|Vens<A = 1 "f" if t = [/i|tat7], 

(this norm measures the length of a list) 

l^lnze = 1 if t is a variable or a constant, 

|f|me — 1 + |tl|«tn, •••, |tn|«izc if f = /(tl,—,tn)i 

(this norm measures the size of a term as the size of its subterms) 

we have: Ezpiengtk(lX[a\Z]]) = 1+1 + 2 and £ipj,„((A’(aj2]]) = 1 + X + 1 + Z respectively. 

O 


A constraint system of affine relationships (i.e. linear equalities of the form co = ciAi + 
... + CnAn) can be defined by specifying intersection, disjunction and cylindrihcation (variable 
restriction) as given in [34]. Intuitively, an affine subapace is a point, line, plane, etc., possibly 
not including the origin. A linear subspace is an affine subspace containing the origin. Recall 
that an affine transformation 7 :1?" —» maps affine subspaces to affine subspaces; its kernel is 

the set of elements mapped to the origin, and is itself an affine subspace. Linear relations can be 
represented as n-tuples of real numbers (geometrically as sets of points in a n-dimensional space). 
These sets are approximated by affine suhapaces or linear varieties [26,34]. A scheme for the finite 
representation of these (possibly infinite) spaces is provided by representing the space as the 
kernel of an affine transformation from S?" to S?"* for appropriate m [26]. Affine transformations 
from S?" to can be represented as an m x n matrix A together with an m x 1 column matrix , 
(vector) c. The corresponding transformation maps a: 6 S?" to A* - c e #"*. The affine subspace 
can be found by solving the non-homogeneous system A X = c. Several different matrix-vector 
pairs may represent the same set of relationships. Elementary linear algebra fortunately provides 
us a “canonical form” for this problem. This canonical form can be obtained by reducing the 
augmented matrix [A|c] in a row-echelon form Standard algorithms can be used to reduce any 
matrix in row-echelon form. 

Consider the domain of affine subspaces IC on a fixed n-dimensional space and the following basic 
operations, as given in [34]: 


intersection (D): The intersection of two affine subspaces [Aijci] and [A 2 IC 2 ] is still an affine 

Ai|ci 


subspace. Such an intersection can be obtmned by reducing the augmented matrix 


A2IC2 


to a row-echelon form. If the two affine subspaces have different dimension: m and m + k, 
we extend the one of lower dimension m to m + ib by adding k columns of O's to the matrix 
and k rows of O’s to the corresponding vector. 


*A matrix A it in row-echelon form iff every row hat at least one non-xero entry, the first non-xero entry of each 
row it 1, for any row to if yo is the first colnmn with a non-xero entry of the row, then for all t > to, j < yo'- A,,j = 0 
and for all i < io, Aij, = 0 [26]. 





union (0): The union of two affine subspaces is not, in general, an affine subspace. We consider 
instead the smallest affine subspace [/l|c] containing (i4i|ci] and [i 42 |c 2 ], namely if [i4||c|], 
[i 42 |c 2 ] and [i4|c] specify linear transformations T|, T 2 and T then kernel(T) is isomorphic 
to kernel(Ti) + kernel(T 2 ). In [26] an efficient algorithm to compute linear disjunctions has 
been introduced. Examples are shown in (34). 

cylindriflcntion (3): The variable restriction operation is performed by cylindrification parallel 
to an axis. By definition, the cylindrification of an affine subspace is still an affine subspace. 
In [34] the cylindrification operation is defined as a matrix transformation. 

substitution (d): Let 5 be an affine subspace and x € V, t € Substitution of x with t in 
5 is defined as the affine subspace B{,}([z = t] H 5). 

Variables are assumed to be finite V = = {zi,...,z„}. If the relations are contradictory, 

then the subspace is the empty set 0 (it cannot be represented as a pair matrix-vector). If there 
are no affine relations, the corresponding subspace is the entire space Diagonal elements are 
(single) equations on the term system tezp- In the following, for each equation li = I 2 , we denote 
by [ti = < 2 ] C the corresponding affine subspace. As before, this notation simplifies somewhat 
the presentation. 


Proposition S.2 

(A:,n,0,§J",0,3A,3i,[t = t']){,}, .ncv.it.t'CTExp n non-distributive, H-idempotent and commuta¬ 

tive constraint system, where f}" is annihilator /or 0 . 


As pointed out in [26], there are no infinitely ascending chains of free-variable bounded constraints 
(i.e. bounded dimension affine spaces), otherwise in any properly ascending chain of subspaces: 
Ui^V 2 <— the subspaces Ui must have a dimension of at least one greater than The 

resulting constraint system is then Noetherian. 

A linear equation is associated with each equation on terms. The following example shows the 
length relationships among the arguments of the append predicate. The solution can be obtained 
in a dimension space. 


Exampfe 5.3 Consider the logic program defining the predicate append in Example 4.1, together 
with the semilinear norm length. The corresponding abstract program is: 

appcnd(zi,Z2,i3) Zi = 0,Z2 = 13- 

appe7td(xi,X2,X3) zi = 1 + y,Z 3 = 1 2 O append{y,X 2 ,z). 


The abstract semantics is: 

r/TO(0) = 0 

Tf^l{9) = {append{x2,X2,X3) Xi=0,Z3 = Z 3 } I cj ] 

*As we ate iateratcd in reUtions (tboM defined in the program) having finite anty, we can always represent 
any answer constraint as a constraint on the finite dimensioaal space of its free variables. Moreover, the use of a 
bottmn-np semantic construction does not require any infinite set of variables for renamings. 
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T/Ft2(0)= {oppend(ii,i2,i3) 


*1 = 0,*2 = Z3 


} 


I Cl J 



= {append(x,,X],X3) 


0 

\ Xi = 1,Z3= 1 + 12 
Zi + Ij = 13} 


j 


(fixpoint) 


Let us denote Ai and A 2 the augmented matrices associated with the constraints C] and C 2 
respectively (on the 3+ 1-dimensioned space Z],Z 2 ,Z 3 ,Z 4 ). Applying the algorithm in [26] we 
have: 


=> Ai0A2 = [ 1 1 -1 0 ]. 

The aiiine subspace zi 4 -Z 2 = Z 3 specifies the affine relationship among the length of the arguments 
of the predicate append in the expected way. O 

6 Related Work 

Abstract interpretation of constraint logic programs is considered by Marriott and Sendergaard 
(29). Their treatment is based on abstracting a denotational semantics for constraint logic pro¬ 
grams. A meta-language based on the typed A-calculus is used to specify the semantics of logic 
languages in a denotational style, and both the standard and non-standard semantics are viewed 
as instances of the meta-language specification. In our case, instead of defining a meta-language 
for data-flow analysis, we consider the constraint specification on which the CLP paradigm is 
defined. Non-standard semantics for a given constraint-based program can thus be obtained by 
appropriately modifying the underlying constraint system. In this way, data-flow analyses of 
logic-based languages can be specified as a standard constraint computation. No difference is 
introduced between the concrete programming language and the abstract one. They both derive 
from the same general specification of the CLP paradigm. 

A related approach is also considered by Codognet and FOe, who give an algebraic definition 
of constraint systems and consider abstract interpretation of constraint logic programs [9]. How¬ 
ever, the algebraic structure considered by these authors is very different: only ^-composition is 
considered. The notion of “computation system” is introduced but the underlying structure is 
not provided with a join operator. Because of this construction, mainly based on a generalization 
of the top-down SLD semantics, a loop-checker consisting in a “tabled” interpreter is needed. 
In our framework, by contrast, extraneous devices such as loop checking and tabulation are not 
considered. Instead, finiteness is treated simply as a property of the constraint system, expressed 
in terms of <-chains. This allows non-standard computations to be specified as standard CLP 
computations over an appropriate (abstract) constraint system. 

7 Conclusions 

Weaker constraint systems can be considered, where for example distributivity does not hold. 
The distributivity restriction is not applicable to a wide class of static analysis problems including 
linear relationships, as shown in Section 5.1, and range variabk analysis, based on an abstract 
lattice of intervals specifying the range of program variables [2]. Non-distributive constraint 
systems can be studied as a more general framework for constraint-based program analysis. A 
classification of the different constraint systems useful in data-flow analysis can be based on the 
set of properties they hold. A comparison with our framework can be useful to systematicaUy 


Ai = 


10 0 0 
0-110 


>l 2 = 


10 0 1 
0-111 
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derive those properties of the semantic construction that may be affected by a different constraint 
system definition. 

Another aspect of the semantic construction is the use of variable hiding operators (such as 
cylindrifications) in the Tp definition. Technically, this aJlows the use of only finite sets of variables 
on which to perform renamings; thus simplifying the construction of finite upper approximations 
to the semantics, such as in the case of linear relationships analysis, where the finiteness is strongly 
related with the (finite) dimension of the space of solutions. 
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Dimension-Complemented Lambda Abstraction Algebras 
Don Pigozzi and Antonino Salibra 
Iowa State University and University of Bari 


The untyped lambda calculus is formalized as a theory of equations, but it is not an 
equational theory in the usual algebraic sense because the equations, unlike the associa¬ 
tive and commutative laws for example, are not always preserved when arbitrary terms are 
substituted for variables. Consequently the general methods that have been developed in 
universal algebra and category theory, for defining the semantics of an arbitrary algebraic 
theory for example, are not directly applicable. There have been several attempts to re¬ 
formulate the lambda calculus as a purely algebraic theory. The earliest and best known, 
although apparently not motivated by these considerations, is the combinatory logic of 
Curry. More recently, several purely algebraic theories of the lambda calculus within the 
context of category theory have been developed: Obtulowicz and Wieger [9] via the algebraic 
theories of Lawvere; Adachi [1] via monads; Curien [3] via categorical combinators. 

In [10] we proposed an alternative approach in the context of universal algebra. We 
introduced the notion of a lambda abstraction algebra (LAA for short), which is intended to 
provide a purdy algebraic theory of the lambda calculus in the same way Bo<Jean algebras 
constitute an algebraic theory of classical propositional logic and, more to the point, cylin- 
dric and polyadic Boolean algebras an algebraic theory of first-order predicate logic. In all 
algebraic theories of the lambda calculus the role of the variables is suppressed to varying 
degrees and the notion of substituting terms for the free variables of a term is abstracted. 
In LAA’s this is effected by “inverting” (/3)-conversion to obtain a definition of substitution 
in terms of the primitive notions of application and lambda abstraction. 

The natural modeb of lambda abstraction theory are algebras of functions of possibly 
infinite arity, while models of the lambda calculus consist exclusively of unary functions. 
LAA’s of functions of finite arity can be reduced to models of the lambda calculus by the 
wdl known method of Schdnfinkel and Curry, but this is not possible in general. Conse¬ 
quently, there are functional LAA’s with elements that cannot be represented by any term 
of the lamba calculus that is constructed from lambda variables and constants denoting the 
elements of some combinatory algebra. The dimension-complemented LAA’s are the widest 
subclass of such algebras that are known to have a natural intrinsic characterization. In 
the present paper we prove that every dimension-complemented LAA is isomorphic to a 
point-relativized functional LAA. 

The two primitive notions of the lambda calculus are application of a function to its 
airgument (expressed as the juxtaposition of terms) and lambda {functional) abstraction, the 
process of forming a function from the “rule” that defines it. The connection between them 
is formalized in {byconversion: (Az.t)s = t[s/z]. Here t and s are terms and t[s/z] is the 
result of substituting s for all free occurrences of z in t, with the restriction that s must be 
“free for z in t”. 

A lambda abstraction algebra is an algebra of the form 

A = (A, •, Azj, Az2, • • •» Z|,Z2,...), 

where A is a nonempty set, • is a binary operation (corresponding to application), Azi, Az 2 ,... 
is an infinite system of unary operations on A, and Zi,Z 2 ,... a corresponding system of dis- 
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tinguished dements of A called lambda variables. Substitution is abstracted as a system of 
term-defined, binary operations -[-/z,] on A. The algebraic reformulation of (/})-conversion 
becomes the definition of abstract substitution: 


6 (a/z,J ::= (Azi(a)) -6, for all o, h € A. 

An dement a of a LAA is said to be algebraically dependent on z, if a[z) /zi] ^ a for 
some j ^ t. A LAA is locally finite-dimensional if every dement algebraically depends on 
only a finite number of Zj; it is dimension-complemented if, for each dement a, there is at 
least one Zj on which a fails to depend. ^From the axioms of LAA’s given bdow it can be 
proved that a is in fact independent of an infinite number of Zj. 

The equational axioms of LAA’s reflect (a)-conversion and Curry’s recursive axiomati- 
zation of substitution in the lambda calculus. They take the following form where Aa is 
the set of all z,- such that a is algebraically dependent on z, . 

(/?i) Zi[a/z,J = a; (/?,) Xjla/Zi] = z>, j ^ »; (A) o[z,/z,] = o; 

Azi(6)[o/zi] = Azi(h); (/?») (6 -cXa/z.l = hlo/zj • c(a/zjl; 

(fit) z, ^ Aa ^ Az,(6)(o/z.l = Az^(6{o/z.l), j yi t; 

(a) Xj iAa=> Azj(o) = Az,(a[z,/zil). 

Axioms (/Js) and (a) can be replaced by identities, so the dass of LAA’s forms a variety. 
The basic theory of LAA is devdoped in [10]. A dosdy related notion, lambda term systems, 
has recently been introduced by Diskin (4). 


Theorem 1 Let A be a dimension-complemented LAA. Then Aui U... U Aon is coinfinite 
for any finite set Ui,.. .,a„ of elements of A. 


The ‘intended” modds of the theory are the functional lambda abstraction algebras. 

Let V = {V, •^, A'^) be a structure where V is a nonempty set, is a binary operation 
on V, and A^ : V^o-*V is a partial function assigning dements of V to certain functions 
from V into itself. V is called a functional domain if, for every / in the domain of A'^, 
/(») = (A'^(/)) y V, for all t; € V. 

Let V = (V,y,)y) be a functional domain and let = { / : f:V'^o-^V}, where 
w = {1,2,3,...}. By the u-ooordinatization of V we mean the algebra 


v„ = (K., Az/“,Az, 










where Azj'^*', and z^' are defined as fdlows; (for all p € V*", t; € V, and ’ 
p(v/i) € V*" is defined as follows: p(v/i)j = » if j = *; p(v/i)j = Pj otherwise). 

• (o y^ b)(p) = o(p) y b(p), provided o(p) and b{p) are both defined; otherwise 
(o y^ b)(p) is undefined. 

• Azi'^''(o)(p) = A'^((o(p(»/i)) : v € V)), provided (a(p(v/i)) : v € V> is in the 
domain of A'^ (note this implies a(p(»/»')) is defined for all u € V)\ otherwise 
Azj'^" (o)(p) is undefined. 




• xY“ip) = Pi- 

A subaigebra A of total functions of V^, i.e., a subalgebra such that a(p) is defined 
fw all a € A and p € is called a functional lambda abstraction algebra. Locally finite¬ 
dimensional functional LAA’s are similar to the functional models of the lambda calculus 
devdoped in Krivine [6]. 

The locally finite-dimensional LAA’s correspond most dosdy to the other algebraic mod¬ 
els of the lambda calculus that have appeared in the literature, for instance the term lambda 
algebras ([7]) and syntactical models ([2]) of combinatory logic and the Curry theories of [9]. 
On the other hand functional LAA’s correspond the environment models ([7]) and lambda 
models ([2]) of combinatory logic and the functional Curry theories in [9]. 

The following is the main result in [10]. 

Theorem 2 Every locally finite-dimensional LAA is isomorph c to a functional LAA with 
the property that each function in the domain of the algebra depends on only a finite number 
of arguments. 


This theorem corresponds to the completeness theorem for the lambda calculus ([7]); 
every lambda theory consists of precisely the equations valid in some environment model. 
It is modeled on the representation theorem for locally finite-dimensional cylindric algebras 
([5], Part II, Thm. 3.2.11(i)), which corresponds to the completeness theorem for first-order 
predicate logic (cf. the Forward of [5], Part I). 

The representation of dimension-complemented LAA’s requires a slightly more general 
notion of functional algebra 

Let / be a functional domain. Let £ € V" such that £(») = z, for all i € w, and let V" 
be the set of all p € V" that differ from e at only finitely many positions, i.e., 

Vr = {p€V“:|{p,#»,}|<w}. 


Let K,., be the set of all partial functions / : Vfo-*V. The {I,e)-coordinatization of V, 




is defined just as except that all functions are required to be in K>,,. 

A subalgebra A of Vw,. of total functions is called a point-relativized functional lambda 
abstraction algebra. 


Theorem 3 Every dimension-complemented lambda abstraction algebra is isomorphic to a 
point-relativized functional LAA. 

Outline of proof: Let A be an arbitrary LAA. The functional domain V = (V, •^, A^) 
associated with A is defined as follows: V = A and The domain of A^ : V^o-^V 

is {{a[v/Z|] : V € V) : a € A and t € u;}, and for each function in this set we define 
A^((a[o/z,] : v € V)) := Az,-.a. It can be shown that (a[v/z,-] : v € V) = : V e V) 

implies Az,-.a = Xxj.b. Thus A^ is wdl defined. It is easily checked that V is a functional 
domain. 
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Let A be dimension-complemented and let V be its associated functional domain. For 
each p € Vu,, there exist lambda variables yi,..., and elements vi,..., v„ of V such that 
p = £(wi/yi,.. .,t;„/y„)). Define a mapping # : A -♦ VI,,, as follows: for all a € A 

• • •. V„/»n)) = o[Zi/yil .. .b«/y„llvi/ill . . .KAnJ, 

for all lambda variables yi,.. .,y„ and all € V and any set of lambda variables 

such that are all independent of each of the Zi. It can be 

shown that 9 is well definded and an isomorphism between A and a total subalgebra of 
V 

It can be shown that the class of point-relativized functional LAA’s (and their isomor¬ 
phic images) form a variety. It coincides with the varieties generated by each of the classes 
of locally finite-dimensional, dimension-complemented, and functional LAA’s. It is an op»en 
problem if functional LAA’s form a variety and hence coincide (up to isomorphism) with 
pmnt-relativized functional LAA’s. Since the point-rdativized functional LAA’s form a vari¬ 
ety they are axiomatized by some set of identities by Birkhoif’s theorem. It is conjectured 
that they are finitely axiomatlzable and, moreover, that the equational axioms for lambda 
algebras ([2], p. 94) together with those of LAA’s are sufficient for this purpose. In contrast 
the representable cylindric algebras are not finitely axiomatlzable. 

Dimension-complemented LAA’s have a direct analogue in the theory of cylindric al¬ 
gebras. Our representation theorem can be compared with the representation theory for 
dimension-complemented cylindric algebras; see [5], Part II, Thm. 3.2.11(ii). For a detailed 
survey of recent results in cylindric and related algebras see [8]. 
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. Abstract 

Puametrized recursion theory allows to characterise the power of parametrisation in various specification 
methods. In particular, for the computation of the target algebra, the role of nondeterminism and the degree of 
availability of the parameter algebra can be studied. 

• 

Today, many different methods for the algebraic specification of abstract data types (ADTs) are proposed. They 
differ in their syntactical, semantical and categorical properties. 

When you have a particular abstract data type in mind, which method should be used to specify it? If a certain 
method is not powerful enough, you have to choose a more general one. The other way round; if you use a too 
general method, then the available tools and proof techniques may become weaker. So it is very useful to know 
about which ADTs can be specified with the various methods at all. # 9 


1 Five Specification Methods 

We compare five methods with increasing expressiveness: ^ 

1. total algebras with equations (see [EM85]) 

2. total algebras with equations and subsorting (see [Gog78]) 

3. total algebras with implications • 

4. total algebras with relations and implications (Horn Clause Theories, see [GM86, Pad88]) and finally 

5. partial algebras with relations and implications built from existence-equations (algebraic systems in [Bur82]). 

We use signatures E =: (5, OP, POP, REL) consisting of sort, total operation, partial operation and relation sym¬ 
bols. For simplicity, subsorting is coded by injection functions, so the second approach has special axioms inj op # 

available, which specify an operation qp to be iqjective. This can be expressed as qp(x) = qp(y) —» z = y in the 
third approach, so the approaches actually have increasing expressiveness. 

Bergstra and Tucker [BT87] classify various specification methods with respect to recursion theoretic expressiveness 
of initial algebra semantics. ^ 

For designing modular specifications, parametrised specifications and data types are useful. We only consider 
parametrised data types (PADTs) which are specifiable with bidden sorts, operations and/or relations. That is. 
specifiable PADTs are composites of free and forgetful functors in the corresponding institution. In order to perform 
classifications with respect to PADTs, we first need a notion of computability over (parameter) algebras. 
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2 Computability over Abstract Algebras 


In the literature, there are various approaclies to dehue computability over an algebra. 

Reichel (Rei87] defines r-algorithms for a theory T by using persistent extensions. This is no algoritiimical or 
recursion theoretical concept, since it depends already on a particular specification method. 

Kaphengst [KapSl] characterizes operations specifiable by free persistent extensions using effective numberings. But 
his characterization is not uniform: the extension of the parameter theory dependes on the parameter algebra. 
Ilupbach [Hup80] considers abstract implementations and characterizes specifiable functors by certain “uniform 
rules". This comes closer to our intention. The problem here is that “uniformity" is defined very technically during 
the proof of the chairacterization. 

Bergstra and Klop [BK82] give an interesting characterization of specifiable functors with minimal total parameter 
algebras. For non-minimal algebras, they again have to incorporate some specification machinery and inilal semantics 
in their notion of computable PADT (see [BK83]). 

For parametrized recursion theory, we want a notion of uniform algorithm over abstract algebras, which is both 
algorithmic (hence does not rely on algebraic specification methods) and uniform, that is, independent of the partic¬ 
ular representation of the parameter algebra (this corresponds to the “information hiding" principle). Moschovakis's 
prime and search computability [Mos69] fits into these requirements (see Ershov [Ers81] for an overview over the 
various approaches). 

Natural numbers of ordinary recursion theory have to be replaced by another domain with pairing. Let E = 
(S, OP, POP, REL) be a signature and A a £-algebra. The set SExpr{A) of S-expnsstons over A is defined 
inductively: It contains nil, atom-s{a) for s € 5, a € A, and cons(f,u) for f,u 6 SExpr(A). The set SExpr is the 
subset of S-expressions containing no atoms. Like in LISP, we can consider natural numbers and lists of S-expressions 
again as S-expressions, and have first zmd rest as inverses of cons. 

Moschovakis’s approach also captures nondeterminism. He considers many-valued partial maps TA-SExpr(A)’' —> 
SExpr{A), such that for t‘€ SExpr(A)’', the values z with — z form a (possibly empty) subset of SExpr{A). 
^a(^) — 5/t(?) means ^a(^ — * u if and only if {?>»(?) —* “• 

Definition 2.1 (MoschovzJcis) Let E = (S,OP,POP,REL) be a signature and code: OPOPOPOREL — IV 
some numbering. We define inductively the set of E-algoriihms f as subset of SExpr. 


COa. 

defintion scheme 

/{I.yi.ym) = op(I) 

S-expression / 

{0,n + m,code{op)) 

op:t—s^OP 

COb. 

/(J.yi. ym)iipop{^) 

(0, n + m, eode(pop)) 

op-.y —«se POP 

COc. 

f[R,yi, ,ym]^nil 

(0,n-hm,code(R)) 

R:7€ REL 

Cl. 

f ill) 2 : nil 

(l.n) 


C2. 

/(y,r) ~ y 

(2.n-H) 


C3. 

/(t,tt.r)~(<.u) 

(3,n-h2) 


C4a. 

/(y. *) = first{x) 

(4. n-1-1,0) 


C4b. 

/(p,x) =: rest(x) 

(4.n-H,l) 


C5. 

/(I)=:s(h(r),T) 

(5,n,p,fc) 


C6. 

/(ni/,T)~ff(I) 

(fi,n + l,g,hi, ... ,hm,fc) 

S = { Si, ... , Sm } 

C7. 

f(atom-Si{y),r) zi hi(atom-Si(y),r) 
/((t.tt),T) ~ i(/(<,I),/(tt.I),t,tt,I) 
/(J)z:g(xj+i,xi, ... ,x>,x^+j.x„) 

[^,n,j,g) 

(i= 1, ... ,m) 

C8. 

f(e,T£,yi .pm) 2 i {e}(I) 

(8,n-fm-H,n) 


C9. 

/(T) =: vy(g(y,-X) — nil) 

(9,n.p) 



Definition 2.2 A E-algorithm / has as semantics a familiy of many-valued partial maps {f}^:SExpr{A)” —— 
SExpr{A) inde.xed by E-algebras A. The semantical relation {/}^(i) —» z is defined as the minimal relation 
satisfying the following conditions: 


* We abbreviate (] 


tn by 7, xi,... .Xu by Z and to on 







Scheme / = 

COc. 5 g/i^ =» {/}'*(otoiii-J 4 (a), ui.Urn) — nil (0. n + m, code(y?)) R.?€REL 

C5. 3u (Ach — u A { 3 }'*(u,F) — r) =>{/}'*(?) —i> (S.n.j.A) 

C8. {«)••*(?) —u =>{/}'*(«.?• ui. • Urn) — V (8.n + m + l,n) 

C9. {j)'*(u.?) — niV =>{/}'*(?) —u (9.n.s) 


(For the other cases, the definition schemes are translated to semantical conditions similarly.) □ 

Schemes CO to C7 allow to express primitive recursiveness, schemes CO to C8 prime computability and schemes CO 
to C9 search computability (with the i/-operator, an unordered, nondeterministic search is possible). Both prime and 
search computability reduce to partial recursiveness when E is empty. 

Since the equality relation is not necessarily search computable, we have to add explicitly, if necessary, relation 
symbols EQ-s : s s for s € 5 to parameter signatures E. The resulting signature is denoted by £Q(E), and EQ{A) 
interprets EQ-s as equality on A,. 

Defiuition 2.3 We call a familiy 71 = (^A)A€Aif(S) of relations {Ra C SExpr{A)'') primitively recursive (semi- 
search computable), if there is a primitively recursive (search computable) E-algorithm / with 

f € 12 a iff {/}'•(?) - nil 

for all >1 g AlgCE),! € 5£xpr(A)". We call 7L primitively recursively enumerable, if there is a primitively recursive 
E-algorithm / with 

range({f]*) = 1iA 

for all /I g AlgCE). □ 

The computational model allows to make explicit the kind of nondeterminism and parallelism inherent in algebraic 
specification methods. Only semi-search computable families of relations are closed under unbounded search and 
existential quantification; and nondeterminism reap. OR-parallelism and full access to the parameter are available. 
Relations from primitively recursive and primitively recursively enumerable families are independent of the parameter 
operations and relations (see [Mas92])! That is, only the data sets can be used, but not equality or other relations and 
operations on the data. So primitively recursively enumerable families of relations are just closed under existential 
quantification. Primitive recursive families of relations are not even closed under existential quantification (this is 
well-known from ordinary recursion theory). 

3 Computable PADTs 

With the computational model of Moschovakts, we can generalise the notion of semi-computable algebra (see [BT 8 T]) 
to the parametrized case. 

Defiuitiou 3.1 Let E C El be a parametrised signature (E = (S,OP, POP, REL),E1 = (Sl,OPl, POP\,REL\)). 
An algorithm p for a semi-search computable (E,E1)-PADT is a quintuple p = ((x,),e 51 . (r 9 f)te 5 i. (^<rp)opiOP\, 
(Eptp)popepopi, (*M)ReKSli)> '»l‘«re x, and (resp eg,) are EQ(E)-algorithms for unary (reap, binary) semi¬ 
search computable families of relations, the (resp. Eppp) are EQ(E)-algoritbiiis for primitively recursive (resp. 
search computable) families of maps of appropriate arity, such that for each E-algebra A 

has the formal properties of a closed congruence relation (see [Bur 86 ]). 

2. /mape({*,p}®9‘'*>) C 

3. For s e S we have: { alom-s(a) | a € A, } C 

4. For pop:?—>s € POP and I € dom popA we have atom-s(popA(3)) 

and analogously for op € OP and R € REL. □ 








Defiuitiou 3.2 Let L C £1 be a parametrized signature and p an algorithm for a semi-search computable (£.£!)- 
PAOT. The semantics of p is the PADT { p ) = (»;, F) with ij: Vi o F' and for each .4 € AlgiT.) 


=. = 

(FA), 5. 

0PFa(Pl*r) = 
fwPFa(PlsT) = 

P],^€«fA iff {♦R}^«''‘>(<)-n.7 
>?.»,.(<») := [afo»n-*(iJ))*. 


s 6 51 
s€Sl 

op: J-s € OPl 

pop:'! - s 6 POPl 

R€RELl 


s 6 5 


□ 


# 





s 




4 The characterization 

Theorem 4.1 Let T C Tl be a parametrized theory in method t (t = 1, ... , 5) and (r), F) a persistent® PADT ^ 

with F:Alg(T)——Alg(Tl), — VVo F. Then the follwoingare equivalent 

(1) (r),F) ia computable by an algorithm p according to row t in the table below. 

(2) (q, F) is specifiable with method i. That is, there is a theory 72 with T C Tl C T2 such that for each ^ 

T-algebra A, 

V'ti F^T.n)A s: FA* 

and i)x is the parameter embedding of A into F(T,Ti) A. 

Moreover, T2 can be computed effectively from p and vice versa (up to some emptyness problems, which are ignored 

here but can be solved, see [Mos92]). # 9 






In the table, a "pr.” means primitive recursiveness, an ’’(s.)s.c.’’ means (semi-)searcb computability and a "p.e.” 
means primitively recursive enumerability. 

The total operations 4,^ always can be chosen primitively recursive. □ 


Method 

data 

X* 

congruence 
on data 

Recursion theory 
subsorts relations 
(range 

^•nj ) 

partial 

operations 

.-p«p 

Categorical 
property 
of model 
categories 

Example 

PADT 
separating 
the methods 

1 

pr. 

p.e. 




equivalences 

(sec [MR77)) have 

quotients 

lists, trees etc. over 
some data 

2 

pr. 

p.e. 

p.e. 



coequalizers 
commute with 

subobjects 

factorization over 
the image of some 
function 

3 

pr. 

S.C.C. 

p.e. 



regular epis are 
pullback stable 

making 

some Abelian group 
torsion free 

4 

pr- 

s.c.c. 

p.e. 

s.c.c. 


(reg epi,mono)- 

factorizations exist 

transitive closure of 
some relation 

5 

s.c.c 

s.c.c. 

S.c.c. 

s.c.c. 

s.c. 

loctdly finitely pre¬ 
sentable category 

set of paths over 
some graph 


jrieids the £-rediict of a Sl-algebra 0 

^that is, q is a natural itomotphitm 

*^r.n) ■* die free constTuctioa cofrespoading to the parametrised theory TCT2 


-» 6 - 


• • 










Iiitereatiiigly. iiiaay difTereiices shown in the table vanish in the uiiparainetrizetj case. For example, both primitively 
recursive enumerability and semi-search computability then reduce to recursive enumerability. If uniformity con- 
.siderations are ignored, the last four methods all have the same power (with initial semantics, and relations and 
(graphs of) partial functions possibly represented as subsorts), though the properties of the model categories differ 
If you switch over to the parametrized case, then the recursion theoretical properties (of free constructions) get into 
a narrow correspondence with categorical properties (of loose semantics), especially concerning the behaviour of 
quotients. Thus, in a sense, parametrized recursion theory reconciles recursion theory with category theory. 

The above results only hold for persistent parametrized data types. In the non-persistent case, the computational 
model has to be modified by some construction using inductive limits. This sheds some light on well-known difficulties 
with non-persistent parametrizations. See [Mos92]. 
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Recent work by Malcom [7], Metier. Fokkinga, and Paterson [8], and Cockett with the program¬ 
ming language Charity [1, 2} has suggrjted a high level of modularity and abstraction may be obtained 
by the use of generic control structures that capture patterns of recursion for a large class of algebraic 
types in a uniform way. This is important for several reasons. 

• Abstraction. It allows the specification of algorithms independent of the type of data structures 
they are to operate on, since the control structure of the algorithm is generated for each datatype. 

• Genericity, It allows the statement, proof, and use of type parametric theorems independant 
of any particular type. 

• Structure. Functional programs are often the target of transformation and optimization. These 
techniques generally search for patterns of structure in programs to satisfy hypothesis of partic¬ 
ular transformations. If structure is explicit, rather than implicit, the job of the transformation 
system is made easier. 

Unfortunately it is hard to reap these benefits when using a traditional functional programming 
language as there is no mechanism for defining type parametric abstractions, which are the heart of 
many algebraic methods. This shortcomming can be overcome by the use of reflection in a typed 
language. 

A programming language supports reflection if it has a distinguished class of vriues that correspond 
to syntactic fragments of the language and operations to manipulate these representation as data or 
programs, either by computing over them, evaluating them or injecting them into the value space. 
Typically these operations are called reify : value —• rep, reflect : rep —► value, and eval : rep —» rep. 
We are going to concentrate on the uses of reflect. 

Reflection is classified as either “compile time” or “run time” depending on when the semantic 
actions are expected to take place. Semantically, compile time reflection is the most straightforward 
since every compile time reflective program has the same meaning as a program that does not use 
reflection which is obtained by executing all of the reflection operations. 

1 Type Parametric Combinators 

Algebraic methods can be added to traditional functional languages by the disciplined use of compile¬ 
time reflection. Algebraic operators like fold can be created by computing over the representations of 
type declarations to build the representation of operators for these types, then reflecting over these 
representations to obtain the actual operators. For example, this could be done in the following way. 
Consider sum-of-products types defined by using recursive equations of the form; 

T(Oi,....Op) = Cilfi,!,.. I • • • I Co(ln,l. ■ • • .fti.m,) 

*Tim Sheard » supported in part by a grant from OACIS and Tefctronis 


















1S9 


where ai,..., Op denote type variables, the C, are names of value constructor functions, and t, j are 

either type variables (in the set oi. Op) or instances of sum-of-products types, including the type 

r(ai,... ,Op) itself. 

Functions manipulating values of these types will use a pattern of recursion related to the pattern of 
recursion in the type definitions. Algebraic methods often capture these patterns using the categorical 
notion of a functor. The functor, £^^,[5, 1. 14] defined below, is the morphism part of a categorical 
functor. There exists an for each the type T. Category theorists would say that T is defined in 
terms of the fix point of E^. Functional programmers are used to defining types by the use of recursive 
equations, so we follow this path. 

Using E^ it is possible to describe the generalised fold (catamorphism [8]) operator for any simple 
sum-of-products type by defining a set of recursive equations, one for each constructor, C,: 

fold^(S)oCi = h,o Ejiidi .idp.fold^(^)) 

where H = (hi,.. .,h„) and for each index j, idj is the identity function. 

To make this definition precise we must provide a definition of E^ in terms of the data type 
equation defining T. The functor is constructed from the n-fold sum of functors, . Each, Ej" is 
a (p-t- l)-adic functor * associated with the corresponding constructor, 6'i : (tj ..t, fn,) — T'lo)- 


ET(7>9R4c) = . 

where T(S) = T(oi ,.,., Op), and 7 = /ai. • • • i /<», wjd the notation (hj . h„) represents a function 

with the property that (hi,.. .,h„)(xi,.. .Zn) = (hi zi ./»„ x„) and A is the type parametric 

combinator: 


A^‘“>(/.a.«s] 

A^‘®'[/.11.5(li.<,)] 

A^'®>(7.9.<i X ... xf„] 

A'^^®’[7.ff.t‘ -* v] 
a^‘®>[7-ii.()1 


U 

map^ (A^^'f> [7. . ft]. A[7.»• M) 

^A^'®)[/, 5 j,]*i.A^'''[A9.f»] *n) 

Ah. w] o h o u] 

id 


We may also use E^ to generate the the morphism part of the categorical functor, often called 
the map for S’; 

(map®(/i. fp))oCi = Cio(Ef(fi ./p.map®(/i,...,/p))) 


2 Compile-time Reflection 

Language tools usually consist of an object language in which the programs which are being manipu¬ 
lated are expressed, and a meta language which is used to describe the manipulation. A compile time 
reflective language has features that allow it to be its own meta-language. We have built an imple¬ 
mentation of compile-tinie reflection for a subset of ML we call CRML (Compile-time Reflective ML). 
In ('RML the object language is “encoded” (represented) in an ML datatype. There is a datatype 
for each syntactic feature of ML. Object language manipulations are described by manipulations of 
this “representation” datatype. CRML contains syntactic sugar (object brackets « ». and escape ') 
for constructing and pattern matching program representations which mirror the corresponding actual 
programs. Thus, meta programs manipulating object programs may either be expressed directly with 
the explicit constructors of the representation type or with this “object-language” extension to ML’s 
syntax. Text within the object-language brackeU (« ») is parsed but not compiled. Its representa¬ 
tion is returned as the value. Meta-language expressions may be included in the object-language text 
by “escaping” them with a backquote character (*). Samples of this feature are illustrated in the table 
below. 


'Where p i* the number of univerully quantified type variaUe* in the left hand tide of T't type equation. 



Concrete syntax 

Constructor based 

Object bracket based 

X 

Id "x” 

A 

A 

M 

V 

V 

f X 

Appdd “f.Id "x") 

« f X » 

' AppCg.y) 

« ‘g » 

(x.y) 

Tuple C id "x". Id “y“ ] 

« (x.y) » 

1 Tapis [x. y] 

« ‘x • ‘y » 


By using reflection, generic operators, such as map and fold, have straightforward implementations 
by computing over the representations of datatype declarations. In CRML a temp/ate defines a function 
which, when invoked, is mapped over all the constructors (and their corresponding types) of a datatype 
declaration, constructing the object language value for the representation of a function declaration. For 
example the template below defines a function aapf which generates the representation of a function 
declaration from a string (representing the name of a type constructor). 

fnn taapXate napf T = 

aap 1 ((Ci ol d -> r) xbar) = 'Ci (‘(K r «1» «aap 1» d) ‘xbar); 

The expression in the con.itructor position of the function definition, ((Ci of d -> r) xbar). is 
treated as a pattern. Thus upon invocation of the template the variables in this pattern will be bound 
to object language values particular to each constructor. Ci is bound to an object language expression 
for the constructor function, xbar to an object language tuple expression (of the appropriate ‘‘shape' 
to be Ci's argument), d to the object language type of Ci's domain, and r to the object language type 
of Ci's range (which is the type T). 

The rest of the expression is taken literally to compute one of the equations defining a function, 
except that escaped expressions are evaluated at invocation time and ‘‘spliced” into the equation. 

While an escape character inside object brackets or a template definition allows the results of meta 
computations to be “spliced” into object programs, an unbracketed, escaped expression is a simple 
interface to compile-time reflection. It indicates that the escaped expression should be evaluated (at 
compile-titiM) to compute the expression (or type, pattern, declaration, etc.) that replaces the escaped 
expression (much like macro expansion). 

Thus, using the aapf meta program the program below calculates and defines the map for list. 

val aapllst = l«t ‘(aapf "list") in aap and; 

as if the user had typed the following instead; 

val aapllst = 1st fun aap f [] = □ 

I aap f (al::a2) = Consff al.aap f a2} 
in aap and 

3 Monadic Composition 

We have used similar methods in automating the generation of polymorphic functions to realize the 
monadic structure of datatype declarations [6]. Moggi has shown that monads can be used to structure 
semantics [9]. Other researchers, including Wadler [13] and our group [6] have explored the use of 
monads to structure specifications and programs. Many algorithms may be expressed solely in terms 
of the monadic operations. When this can be done, changes to the details of the data type do not 
require changes in the specification of the algorithms. They also support a very powerful notion 
of composition that allows programs to be decomposed into more easily understood and maintained 
modules. 

For example, let the type constructor Maybe be defined by Maybe(x) = Nothing | Just(x). 
Spivey[11] has used this type to model exceptional computations. Maybe has the structure of a 
monad[12, 6]. The binary product distribution for Maybe, with type (Maybe{a) x Maw6e(6)) — 
Maybe(a x 6), can be defined as: 

r"“''‘*(xi. * 2 ) = { (oi.a,.) 1 a, ~ o, - x*} 




Using the usual traiislation[12] for monad comprehensions we get; 

rj) = C^P****** (Aai.(map‘'^‘’''*'(Aa2.(Qi.a-.>)) jtj)) ri) 

let the type T(a) — S(Maybe{a)), where S' is any sum-of-products type. Then T has the 
structure of a monad(^. The the distribution function ; S(.\taybt{o)) — .\faybe{S{Q)) can 

be given in terms of the operator fold^, 

*«.»». * = (/l /n)* 

where is an accumulating function for each data constructor, C, ; (<ri. Om ,) — -V If C, is a nullary 
constructor, C,, then fi () = unil^**** C.. If Ci is not a nullary constructor, then the corresponding 
accumulating function, /i, can be defined as 

fi = (map"-*'** C.) o o (unit""***, td. id) 

where Hf can be defined in a manner similiar to as follows; 

f^i {fnont frtt) — • ■ •» 

and A* is the type parametric combinator; 


A'[f] = fnon when neither a nor .S'(o) occurs in t 

A‘H = /a 

.Op)] = /«€< 

A'[f'(fi.f,)] = map^ (A[fi],.A'(f«]) 

A'(<i X ... X t„] = A(xi.a„).(A'{ti]r,- A[f„lx„) 

For example, the type composition distribution function, is a function with type List{Mayke{Q)) — 

Maybe{List{a)), and can be defined as follows: 

= fold^’"(/.v<i,/c«»)jr 


1 fsiiO 


map-*^-'»‘‘Cons (r,"“''*'(x,xs)) 


This function, which can be generated for any datatype, .S', allows us to lift a function, f . a — 
Maybe{3) to a function, g : S(a) — Maybe{S(d)). 


5 = ’fMayt. °(»”‘«P® /) 


Using other type parametric combinators we have implemented algebraic generators for structural 
equality, and unification over data structures which represent abstract terms. 

In addition we have defined an normalisation algorithm [3, 4, 10} which automatically calculates 
improvements to programs whose only contol structures are folds. It reduces these programs to a 
canonical form. Based upon a generic promotion theorem [7, 8], the algorithm is facilitated by the 
explicit structure of fold programs rather than using an analysis phase to search for implicit structure. 
CanonicsJ programs are minimal in the sense that they contain the fewest number of fold operations. 
Because of this property the improvement algorithm has important applications in program transfor¬ 
mation, optimization, and theorem proving. 


4 Conclusion 

A compile-time reflective programming environment is an appropriate choice when computations over 
programs is necessary. Meta-programs can access the types of objects in the environment, retrieve 
representations of types or functions as data, generate representations of the derivative functions for 
types, or apply optimizations or transformations to functions, and then submit these representations 
to the compiler. This allows the incremental expansion of traditional functional languages to include 
algebraic methodologies baaed upon formal foundations in a straight forward manner. 
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ABSTRACT 


The type and effect discipline is a recent 
iianietsotk for typing expressions in implic¬ 
itly, stroi^y typed, pdymorphic fnnctional lan¬ 
guages with imperative extensiona. In addition 
to the antomatk reconstruction of the principal 
types, this disci[dine compotes the minimal ^e 
^ccts of expresMna. The main objective of this 
work is to present a generaluatioa of this disci¬ 
pline to concurrent, fnnctional and imperative 
languages. Accordingly, we present an effect- 
based static semantics ss well at an operational 
semantics for a language that unifies the previ¬ 
ously mentioned computational styles. The pro¬ 
posed type system is applied to a coacurrent 
ML-like language. It computes in addition to 
the type of exp re s si o n s, th^ side and commu¬ 
nication effects. Furthermore, an operational se- 
mantict of the language is present^. The latter 
is based on an extension of the Hennessy’s op¬ 
erational semantics of the VPLA (Value-Passing 
Language with Assignment) language. That is 
why our dynamic semantics can be viewed as 
an extension of the work on CCS without r’s 
proposed initially by De Nicola and Hennessy. 
A significant goal of this paper is to prove that 
the static and the dynamic semantics ate consis¬ 
tently rdated. 

Keywords: Typing; Side and Communicatioa 
Effects; Static and Dynamic Semaatkt; Concur¬ 
rent, iSuctional and Imperative Programming; 
Process Algebra; Consisteacy of Typing. 


1 Motivatian and Backgvoand 


‘Hte ultimate goal of this work is the defini¬ 
tion of a wide-spectrum specification language 
that supports both data and concurrency de- 
actiptions. The design of this specification lan¬ 
guage, followed the same approach as the mte 
used in the design of Extended ML [ST85]. 


The starting point is the design of an implic¬ 
itly typed, polymorphic, concurrent and fnnc¬ 
tional programming language. Axioms are then 
added in the signatures and stractures as in E!x- 
tended ML. The resulting specification language 
is thus highly expressive though it embo^es a 
restricted number of concepts. More concisely 
oar language can be viewed as a sugared ver- 
sioa ot typed A-calcuhu that safely incorporates 
imperaUve and concurrent extensimu. 

The intent of this paper is to focn^ on the the¬ 
oretic foundations of the naderlyiag program¬ 
ming language. The latter unifies three compu¬ 
tational paradigms which we refer to as concur¬ 
rent, functional and imperative programming. A 
great deal of interest has been expressed in each 
of these programming styles and the underlying 
foundations have be» deeply investigated, aL 
belt generally separately. 

Concurrency models have been a focus of in¬ 
terest for a great number of researchers. Ac¬ 
cordingly, this gave rise to plenty of calculi 
and modeb. Prominent calculi are those that 
correspond to process algebra such as: CCS 
(Calculus for Cfommunicating Systems) [Mil89] 
and CSP (Commankating Sequential Processes) 
[HoaSS] for which mathematically well-behaved 
models have been advanced. One can dte the 
failure-sets model of Brooks, Hoare and Roscoe 
[BERM] or the acceptance-trees model of Hen- 
aessy [HeaSS]. Hosrever, in spite of the large 
activity of the concurrency community, it re¬ 
mains that formalisms and techniques devised 
for concurrent and distributed systems are gen¬ 
erally relevant to pare processes, in other words, 
they focus on control aspects rather than data 
aspects. Thus, in such frameworks, there is no 
data, no communication, no states,...etc. These 
simplificatioai ate generally adopted in order to 
pnt the emphasis on the <Ufficultiea inherent to 
concntreat systems, for instance, nondetermin¬ 
ism, the semantics of combinators,...etc. 

On the other hand, fnnctional programming 
has been extensivdy studied. Consequently, 
many powerful, general-purpose programming 
languages emerged such as ML dialects. The lat¬ 
ter rests on secure theoretical foundations that 
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•re exempliiied by the letge body of lefuit* on 
pure «nd typed A-calculos. Generelly, functionkl 
Ungvages att endowed with imperative features 
for efficiency reasons. Also programming with¬ 
out such facilities becomes quickly tedious and 
cumbersome in many situations. 

The language described here supports poly¬ 
morphic types. It supports also both functional 
and process abstractiotts as in CML [Rep91] 
and FACILE [GMP89]: functions may be used 
to describe internal computations of concurrent 
processes. Functions, processes, references and 
communication channeb are first-class values 
and thus can be passed along channels. Con¬ 
sequently, the mobility of these values is sup¬ 
ported. 

At the theoretical level, we will present the 
static semantics of this language as well as the 
dynamic semantics. The type inference system is 
based on an extension of the type and effect dis¬ 
cipline: a new approach to implicit typing that 
can be viewed as an extension of the ML-style 
type disdpliae. In addition to that, as shown 
in [TJ92], effect-based type discipbnes are more 
appropriate for integrating safely and effidently 
functional and imperative programming. The 
dynamic semantics presented here is operational. 
It is based on an extension of VPLA (Value 
Passing Language with Assignment) of Hennessy 
[HI90, Hl9]]. Thus, the presented modd can be 
viewed as a CCS without r's version. 

2 Related Worh 

Recently, some modern languages have been 
proposed that reconcile the functional, concur¬ 
rent and imperative styles. For instance one 
can cite CML [Rep91], FACILE [GMP89] and 
LCS [Ber89]. All the three languages emerged 
firam the idea of combining an SML-like lan¬ 
guage [MTH90] as a functional and imperative 
core, with a CCS or CSP-like process algebra 
for process abstraction. They support polymor¬ 
phic, functional and process afastractioas, dy¬ 
namic behaviors and higher order objects. 

The static semantics (typing semantics) in 
CML, FACILE and LCS rests on the type infer¬ 
ence discipline. It is well known that t^ disd- 
piine, is problematic in the presence of non refer- 
entially transparent constructs. More predsdy, 
the proUem is relevant to type general^tion in 
the presence of mutable data. Therefore, many 
exteanfons of the initial work of Milner [Mil78] 
have been proposed. 

The dasincal way to deal with this issue, is 
the imperative type discipline [To(87]. An ex¬ 
tension of this approach has been used in the im¬ 
plementation of Standard ML of New Jersey. It 
is baaed on weak type variables: these type vari¬ 
ables have an atta^ed strength information, de¬ 
noting the number of applications needed to get 
a n<w trivial effect. In [LW91], another method 
is proposed that consists in detecting some so 
cafled dangerous type variables (the ones occur¬ 
ring in the types of imperative objects), and U- 


beling function types accordingly. 

Later, in [TJ92], the type and effect disci¬ 
pline is intri^uced. The latter yields as a re¬ 
sult of the static evaluation of an expression, not 
only its principal type, but also all the minimal 
side effects. A decidable and consistent typing 
system w.r.t. the operational semantics of the 
considered language, is advanced [TJ92]. No¬ 
tice, that the inference typing system was de¬ 
vised for an ML-hke language, of course with 
imperative constructs. It should be noted that 
the idea of considering the effects as part of the 
static evaluation of an expression, has been sug¬ 
gested in {Lnc87] and adopted in the FX project 
{GJLS87, LG88]. 

As we pointed out before, one of the aims ad¬ 
dressed here, is to propose a d 3 mamic seman- 
tica for our language. Notice that elaborat¬ 
ing a djmamic semantics for such languages is 
somewhat comidicated. The reasons for this 
•re that we have to deal with various aspects 
of the language (concurrent, functional and im¬ 
perative). Another aonree of complication is 
the int^atiMi of all these aspects. Most of 
the dytmmk semantics proposed for these lan¬ 
guages (Concurrent ML-like) are operational. 
For instance, CML and FACILE are endowed 
with an operational semantics reported respec- 
tivdy in (BMT92, Rep91] and [GMP89]. An¬ 
other description of FACILE semantics has been 
devrioped using the CHAMs [BB91] (CHeraical 
Abstract Machines) framework [LT92]. In this 
paper, we present an operational semantics of 
our language that can be viewed as an exten¬ 
sion of the VPLA operational semantics. No¬ 
tice that a denotational model have been de- 
rised for our language. The model is briefly dis¬ 
cussed ia|BD93], its foundations are investigated 
in (BD92]. 

Our concern in this paper is: 

e To propose a nev/ inference typing system 
(implicit typing)that computes in addition 
to the principal types of expressions and 
their side effects, the minimal conununi- 
cation effects generated by the concurrent 
constructs. 

• To propose an adequate operational seman¬ 
tics for our language (Concurrent ML-like). 

• To prove that our typing system is consis- 
teut w.r.t. the static semantics. Notice that 
this issue is one of the most interesting re¬ 
sults of this work. 


3 Infarmal psasentatioM 

The syutactic corutructioim allowed in our lan¬ 
guage are dose to those allowed in CML and 
FA^LE. The set of expressions includes: 

s Literals such as integers, booleans true and 
Cnlse, a distinguished value (), a coiutant 
skip which models an expr essi on that im¬ 
mediately terminates sncMssfnUy. 




• • 








• Thtee binding operntiona tbnt me the ab¬ 
straction, the recursion and the let defini¬ 
tion. 

s Imperative aspects are supported through 
the notion of reference. Exp r es si ons of the 
form ref (£) stands for the aUocation of a 
new reference and assigns to it the value ob¬ 
tained by evaluating the expression E. We 
will use the nnary operator ! for dereferenc¬ 
ing and the lanary operator :x: for assign¬ 
ment. 

e Expressions may communicate through 
channels. The expression cfaniuiel() means 
allocate a new ^annel. The expression 
£!£' means: evaluate evaluate E and 
send then the result of £* evaluation on the 
channel resulting from the evaluation of E. 
The whole expression evaluates then to (). 
The expression E7 evaluates to any value 
recmved on the channd resulting from the 
evaluation of E. Notice that the commn- 
nkationt are synchronised as in CCS and 
CSP. 

e Three concurrency combinatora: 

.fl-t Nondeterministic choke between two 
expressions (slso called internal 
choice). 

.Q-: External choice between two expres- 
sioas. 

Parallel composition of two expres¬ 
sions. 

e A seqnendng operator; [ 4 .^']. 

More formally the BNF syntax of our lan¬ 
guage is: 

E 0 I true | /alee | Number n | (dent x | skip | 
Axe£ I £ £ I £()£ | £0^ I E\\E I £;£ I 
ref £ I !£ I £ ;= £ I chnnnelO | £? | £!£ | 
if £ then £ eine £ | let s = £ in £ | 
rec xe£ 

In the following, we will use V/ to stand for 
the finite poweraet, A nr Biot the set of all finite 
mappings (maps for short) from A to B. 

4 Stntk semantics 

As we pointed out before, we have adopted the 
type and effect discipline in order to give a statk 
semantics to our laiignage. This choice is moti¬ 
vated by the following reasons: 

e As shosm in [TJ92], the type and effect dis¬ 
cipline is more appropriate than the other 
type systems [TofBT, LW91] in int^atiag 
effidently functional and imperative pro- 
naming. The reader should refer to 
fri92] for a full comparison of the type and 
effect discipliae with the other approaches. 

e A more efficient type geaeralisatioa in let 
expressions fay the use of the effect iaformv 
tioa and the ohservatimi critetioa. 


s One of the main and the most motivat¬ 
ing reasons for us is purely technical and 
is rdevant to the foundations of the deno¬ 
tations! model. More accurately, CML-like 
languages in general and the language de¬ 
scribed here in particular are quite expres¬ 
sive. For instance higher order processes are 
allowed Le processes vt vaines and can be 
communkated along channels. Then if we 
attempt naively to construct the process do- 
nsain, this will lead to reffexive domain def¬ 
initions that have no solutions. In order to 
get round this difficulty, the technique con- 
aideted in this work makes a dependence be¬ 
tween the statk and the dynamk semantics 
by typing the dynamk domains by the hier¬ 
archy laid down by the static domains. At 
this level we need to know exactly the type, 
the communkation and the store effects of 
the langnage expressions. This issue is dis- 
cnased in details in the next section. 

The reader should notice that the type and 
effect discipline reported in fTJ92] does not sup¬ 
port communkation effects. Thus the work re¬ 
ported hereafter is an extension of this discipline. 
We define the following statk domains; 

e The domain of Reference tegionr. The no¬ 
tion of reference regions is introduced to ab¬ 
stract the memory locations. Every data 
stmcture corresponds to a region. Two val¬ 
ues are in the same region if they may share 
some memory locations. The domain con¬ 
sists in the dkiout union of a countaUe set 
of constants and variables noted 7 . We wiD 
use p, p ’,... to rei»esent reference regions. 

s The domain of Reference effeetr. Reference 
effects abstracts the memory side-effects. 
We define the foDowing bask effects: 9 for 
the absence of effect, c for a reference effect 
variable, init{p, r) for the reference alloca¬ 
tion, read(p) for reading in the region p and 
wrs<e(p) for assignments of vaines to refer¬ 
ences in the region p. We introduce also a 
union operator U for effects. 

a ::s f|c|intt(p, r)|reed(p)|i<'ri(e(p)|e'U o 

We win write o 3 o' es 3o" # o = o' u o". 
Equality os reference effects is modulo ACI 
(Associativity, Commutativity and Idempo- 
tence) with t as the neutral dement. 

Analogonsly, we introduce the following statk 
domains: 

e The domain of Channel regionr. As with 
reference regions, channd regions ate in¬ 
tended to atetract channels. Thdr domain 
consists in the disjoint union of a countable 
set of constants and variables noted t. We 
wiU use XiX't— r e prese n t vdues drawn 
from this dtmain. 
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• Tke doraaiji of Channel effectr. It it defined 
indnctively by: 

K llqlcfiamfx, r)|ii»(x)|«»«t(x)|icU k 

We will ate If to tUnd for a channel ef¬ 
fect variable. The bank channel effect 
chaii(x, r) repietentt the creation of a chan¬ 
nel of type r in the channel tegion x- •it(x) 
denote! the effect retnlting from an input 
on a channel of the channd region x while 
o«t(x) denotea an ontpnt on the channel 
of the region x- We will write n □ 
in" • K nt «' u «c". Eqaabty on effects it 
modulo ACI with I at the neutral element. 

e The domain of types: It it inductively de¬ 
fined by: 

r .-.-a: U Rit|Sool)/at|o| 

»'e/p(r)|cianx(r)|r r 

I/ntf it a type with only one element *()*, 
a a type variaUe, ref,{r) it the type of rrf- 
erencet in the region p to valuet of tjrpe r, 
chanx(r) it the type of channelt in the com¬ 
munication region x that are intended to be 
mediums for valuet of type r, r r' it 
the type of fnnctiont that take parameters 
of type r to values of type r' with a latent 
reference effect a and a latent channel effect 
«. We mean by latent effect, the effect gen¬ 
erated when the corresponding expression it 
evaluated. 

We also define type schemes of the form 
Vvi,...,On e r where v. can be type, reference 
region, channel region, reference effect and chan¬ 
nel effect variable. A type r' it an instance of 
V»i,..., e r noted r' -< Vei,..., Vn • r, if there 
exists a substitution 9 defined over oi,..., On sudi 
that t' = fir. 

Our static se m ant i cs ocmtain seqnents of the 
form: 

S h E : r, a, K 

which state that under some typing environ¬ 
ment C the expression E has a type r, a reference 
effect a and a channel effect n. Notice that type 
environments C map identifiers to type schemes. 

S Oparathmal aanumtict 

In this section we present the operational seman¬ 
tics. We will use the same style as [HI90](HI91]. 
For that, let ns introduce first the notion of oom- 
patable valuet of the language. 

Doflaitlon S.l The tel V of computable valuet 
it defined at the leatt tel sphicA tatitfiet: 

e V containt literalt tueh at (), true, false, 
•niepert, or refereneet, or channelt. 


a if »,»' € V, then (v, v') 6 V. 

• tf T it an environment, then the cloture 

ixxvE, rjev. 

Let ns denote by Jt the set of references and 
by K the set of channels. Now, we need to 
define the notion of tiore. The set of possible 
stores 5tore is made of ttore actiont. The latter 
stands for both the current associations of the 
references and valnes, and also for the different 
actions on the ttore (read, write operations and 
the channel creations). The formal definition is: 

Store K Vi(Stort^ction) 

Store^etion s{mit(r, o) | r 6 Jt and v € V)u 
jresd(r) | r € Jl)U 
{lorite(r) | r € /t}U 
{chan(c) I e € Jf) 

The store action inil(r, v) means that the ref¬ 
erence r is bounded to the value v. The store 
actions read{r) and uirite{r) model respectively 
a read and a write operation on the reference r. 
Finally, the store action chsit(e), corresponds to 
the creation of a dtannd c. We wiU write s, s',... 
to denote stores drawn &om the set Store. We 
write Sr to denote the store t excluding store 
actions of the form titil(r, v). We toy that t is 
indttded in s', or s' extends s, noted s £ s', if 
and <»ly if there exists s" such that s' s s U s". 
We note dem(s) s {r | 3o s •n•t(r,«) 6 s) the 
domain of store s. 

We note £V the set of expressions and com¬ 
putable values. We will use e, v',... to represent 
values drawn from V, l,l',... to teptesep>t 'tJ- 
ues drawn from fV and E, E,,... to r^ipn^ 't 
expresrions. 

Oar operational semantics is bated on the evo¬ 
lution of special con/ipvraliotwdefined hereafter. 
First, we distinguish the set of batic (initial) con¬ 
figurations: 

Deflnltlon 6.2 The tet of basic confipurationt 
BC it defined at: 

BC = {(l,s) I I € fV A s s store) 

DeflniUon 6.3 The tet of configurationt, C, it 
defined at the leatt tet, which tatitfiet: 

1. BCCC 

t. a €C impliet ret a, a?, !o 

9. 0,0 € C impliet a op 0 € C where: op = 

n.o 

4- tt € C implies a; E, Eia, £ ;s a, £ o € C 

5. « € C implies a!«, a v, a v € C 

6. 0,0 €C implies a||*ll^> € C 

7. Or € £ implies [ Aid :rea,r]«€C 

fi. a € C iti^ies; 

(a) let s s a In £ € C 






















(h) if a then E\ £> € C 

when E,Ei,£t denote expreetione, e, t' de¬ 
note etoree and v denote a compntaHe value. 

We will oae a,a',...,0,0',... to denote conlig- 
nrntiou dnwn &oin C. 

Tke operntionni eemantict in prcMnted in tke 
■mal way, by defining a labded tranaition aya- 
tem on confignrationa. Tkeie ate two Idnda of 
eeenta, tanged over teapectieely by a and t: 

a Viaibie eventa: Tkey conaiat in inpnt eventa 
of tke fotm (?, c, a, a) and oatpnt eaenta of 
tke fotm {!, e,«, a) wkete e ia a ckannel and 
oka valne ia V and a k tke cnnent op- 
etatioaal dynamic atoie. We will nae tke 
notation a to denote tke complement ac¬ 
tion of a. Fot inatance, tke complement of 
(?,c,o,a) k (!,c,e,a). Notice alao tkat fi k 
a. 

a A ailent event noted e tkat k aaed to denote 
intetnal movea anck aa aynckronisationa on 
complementaty actioaa. 

We will nae aa eventa drawn from tke 

aet of vkibk and invkible eventa. We will write 
a—0 to denote tke evointion of a into 0 after 
performing tke event «. 

Tke tranaitiott rdation k defined aa the amall- 
eat rdation aatkfjring the axioma and ralea given 
in tke figntea 2 and 3. 

fi Cwniitaairy Th awrai w 

In thk aection tke intention k to prove that the 
atatk aemantica k conaktent w.r.t. tke dynamic 
aemantica. Tke primary objective nnderlying 
tke conaktency theorem k to enanre tkat aa ex- 
p rt aa io n and the valne it evalnatca into, have the 
aame type. Ita enanrea abo that the evalnation 
of aa expteaaion only ieada to obaervable effecta 
of the atore that are compatible with that of ita 
original atatk effect. Bat we have abo to haadk 
aome additional proUema: 

a An expreaaion doea not, dne the preaence 
of the recnraion operator, neceaaarily termi¬ 
nate, and doea thna not neceaaarily evolve 
into a value. We want tke conaktency the¬ 
orem to eatabikh conaktency in tkeae caaea 
too. 

a We abo want to treat cornmnnkatiim ef- 
fecta. We thna want to enanre that the 
evalnation of an e xprea a i o n only Ieada to 
obaervabb cornmnnkatim effecta that are 
ccmipatibb with that of ita origiaal atatk 
effect. 

a We finally have, dne to commnnkation, to 
handb open ayatema that will potentially 
receive vdnea from tke ontaide, and aend 
valnea to the ontaide. We thna have to con- 
aider only correctly typed inpnting valnea, 
and verify that ontpnting vdnea are con¬ 
form to tke channel typea. 


Tbeoiwm 0.1 (Conabtency) 

Let o he o configuration, euppote tkat S,K^ 
ttort(a) : o,k and store(o) : o,k,S,K ^ 
r : £. If £ y expria) : t,o',k' and F 1- 

a— then, provided that vdienever o it an in¬ 
put event ite value is conform to the type of the 
invohvd channel (i.e. tehenever o w (?, c, v, s) 
for some ehnnnei c and some value v, then 
s : o,n,S,K ^ v : rj and s : a,a,S,IC ^ c : 
ehnn/|^^|(rr)j, there esMl5' andKf extendingS 
and 1C, and unoLservaile effects o" and k“ i.e. 
Oiserve(£,r,o") s 0 and Ohaer«e(f, r,«") s 
t, anch that: 

a Ifexp{a') is a eolne Ihen; 

i. S',IC' 1= atore(a') : nUo'uo",aUa'u 
k" and, 

t. atore(a') : o U o' U o",k U k' U 
a",S',K' |=ezpr(a') t r ond, 

3. K'^o-.k'uk" 

a Else there existo'l, Oj, a't andai, such that: 

o'lUOi — o' and 
Kj U X} w k' and 

S’, K' |ee atore(a'): n U nj U ff",« U U a" 
and A' ^ o : K] U a" and 
£ I- ecpr(o') : r,aa,aj and 
ttore{a') :oVo'iU o", 
aUa', Ua",5',h:'b=r:f 

Furthermore if o is an output event, ita value 
•a conform to the type of the involved channel. 

7 Coivdiiiioii 

We have reported in thk paper the compfete def¬ 
inition of aa implicitly atron^y typed polymor- 
phk concurrent and functional language that 
anpporta data accepting in-place modificatioa. 
We have prcaented a compfete atatk aemantica 
that reata on an extenaion of the type and ef¬ 
fect dkapbae to handle communication effecta. 
Afterward we have prevented aa operational ae- 
mantka of the language that reata on aa exten¬ 
aion of VPLA operational aemantica. The con- 
akteacy of the t 3 rp(ag ayatem w.r.t. the opera¬ 
tional aemantica have bm eataUkhed. 

Aa a fotare reaearch, we plan to inveatigate re¬ 
finement kanea an wdl aa atrnctnring and mod- 
nlarity mechankma. We are particularly inter- 
eated ia experimenting aome new approachea 
in modularity from the algebrak apedfication 
world anch aa the looae atratified a e man t i c a pro- 
poaed by [Bid89]. Another important reaearch 
intercat for na k to devdop aa axiomatk aemaa- 
tka of onr language aa wdl aa ita mediankation 
in order to prove program propertka. 
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In its modern form the algebra of relations has been under investigation by mathemati¬ 
cians since Tarski’s seminal (1941) paper. The main line of development has been the 
study of a class of algebras called relation algebras (Chin and Tarski 1951, Jonsson 19X2), 
in parallel with developments such as Boolean algebras with operators (Jonsson and Tarski 
1951/1952) and cyiindric algebras (Henkin, Monk and Tarski 1985). Since the early sev¬ 
enties the algebra of relations has increasingly become of interest to computer scientists. 
Just as the notion of a partial function provides a natural model for deterministic pro¬ 
grams, so the more general notion of a (binary) relation provides a natural model for 
nondeterministic programs. This idea has been exploited by various authors. For ex¬ 
ample, it is evident in Floyd-Hoare logic for program verification, it has been extended 
to specification in Hoare and He, Jifeng (1987), it figures in logics of programs such as 
dynamic logic (Parikh 1981, Harel 1984), and it was used in the early seventies to model 
recursive procedures (de Bakker and de Roever 1973, Hitchcock and Park 1972). Recently 
the algebra of relations has been extensively used in a graph-theoretic approach to pro¬ 
grams by Schmidt and Strohlein (1991). In modal logic, relation algebra features strongly 
in the Dutch-Hungarian cooperation on van Benthem’s (1991) new arrow logic (see Logic 
at Work, Proceedings of the Applied Logic Conference (1992)). Venema (1992) is another 
interdisciplinary study of relation algebra and multi-modd logic. The proof theory of 
relations is also of interest to computer scientists, and several relational inference systems 
are available (Wadge 1975, Hennessy 1980, Maddux 1983, Orlowska 1991). 

In many applications it has become clear that we need, not just an algebra of relations 
as distinct from an algebra of sets, but an algebra of relations interacting with sets. (For 
example, if we view a program as effecting a transition on a state space, we may wish to 
model this by a binary relation acting on a set of states.) Such an algebra was presented 
in Brink (1981) under the name of Boolean modales. A Boolean module is defined (Brink 
1988) as a two-sorted algebra M = (B, H ,:), where 5 is a Boolean algebra, is a 
relation algebra and : is a mapping Kx B — » B written r: a such that for any r, s € 7^ 
and a, 6 € B: 

Ml r:{a + b)-r:a + r:b 
M2 (r-|-s):a = r;o-I-s:a 
M3 r:(s:a) = (r;s):a 
M4 e:a = a 
M5 0:o = 0 
M6 r"" ;(r :o)'< a'. 

*To appear in Format Aspects of Computing. 
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The symbols +, ;. ;, c, 0, " ,' and < respectively denote join. Peirce product, relational 
composition, identity, zero, converse, complenientation and the usual partial ordering. Let 
A be any subset of some non-empty set V and let R. S be any binary relations over f , 
In the standard models (i.e.. in proper Boolean moduUn) the join is set-theoretic union. 
The Feircf product R:A\& the set of elements x related by R to some element y in .4. 
The relational composition R;S is the set of pairs (x,y) for which there is a r such that 
(x,z) € R and (s.y) € S. The identity is the identity relation over I'. The zero is the 
empty set. The converse of a relation R is the set ” of pairs (y, i) for which (s’, y) € R. 
Complementation of sets (respectively relations) is writh respect to t" (respectively (' x I'). 
And, < is interpreted as the subset relation. 

Though independent of the computer science context, Boolean modules are very sim¬ 
ilar to dynamic algebras, introduced by Kozen (19S0) as the algebraic version of dynamic 
logic. And both of these are quite similar to the extended relation algebras introduced by 
Suppes (1976) in a linguistic context. However, Boolean modules and dynamic algebras 
both have the drawback of not treating relations (programs) and sets equally: there is 
a set-forming operator on relations, but no relation-forming operator on sets. Extended 
relation algebras do not have this drawback, but they do have the drawback of being as 
yet unformalized as algebras. 

We present here a two-sorted algebra, called a Peirce algebra, of relations and sets 
interacting with each other. In a Peirce algebra, sets (or rather, the variables representing 
sets) can combine with each other as in a Boolean algebra, relations can combine with 
each other as in a relation algebra, and in addition we have both a set-forming operator 
on relations and a relation-forming operator on sets. The former is the Peirce product 
used in Boolean modules; the latter is the operation of cylindrification. Peirce algebras 
thus present a natural next step after Boolean algebras, relation algebras and Boolean 
modules. 

Formally, we define a Peirce algebra to be a Boolean module {B.TZ, :) enriched with 
an operation from the underlying Boolean algebra B to the underlying relation algebra 
IZ such that for every a € 5 and r € 

P1 : 1 = o 

P2 (r:l)‘^ = r;l. 

In the standard models (i.e., in proper Peirce algebras) applying the cylindrification op¬ 
eration to a set A yields the relation A^ given by the Cartesian product A x U. An 
example of a Peirce algebra is any extended relation algebra. Another example is any 
relation algebra. We show that the underlying Boolean algebra B of any Peirce algebra 
can be embedded in its underlying relation algebra H in two ways: as the Boolean alge¬ 
bra of so-called right ideal elements in fl, and as the Boolean algebra of elements below 
the identity of 11. These results reiterate the point made by Maddux (1990) that Peirce 
algebra is not a mathematical requisite for modelling interactions between relations and 
sets, in the sense that these can be modelled in relation algebras (as interactions with 
right ideal elements, for example). However, we argue that Peirce algebra provides a more 
natural framework for doing so. In a Peirce algebra one can actually manipulate both 
sets and relations simultaneously. From an applications-oriented point of view this is an 
advantage, and we present two (sets of) sample applications to substantiate this point. 

The first shows how three programming constructs in the calculus of weakest prespec¬ 
ification of Hoare and He, Jifeng (1987) can be modelled naturally in Peirce algebras. 
This comes about through the isomorphism in any Peirce algebra (B,1i, : ,*■) between the 






# 













- 206 - 


• • 


T 





Boolean algebra B and the Boolean algebra of right ideal elements of the relation algebra 
H and the isoiuorphism between B and the Boolean algebra of identity elements in H. 
First, Hoare and He, Jifeng (19M7) use right ideal elements to model conditional state¬ 
ments in logics representing programs as binary relations. Second, subsets of the identity 
relation are used to model a test operation (Parikh 19X1). Third, left ideal elements can 
be used to model the initialization of abstract data types as defined in Hoare. He. Jifeng 
and Sanders (1987). 

The second application points out that the so-called terminological logics arising 
in knowledge representation based on the system KL-ONE (Woods and Schinolze 1992) 
have evolved a semantics best described as a calculus of relations interacting with sets. 
Brink and Schmidt (1992) show that the terminological representation language ACC of 
Schmidt-Schaufi and Sinolka (1991) can be captured in the context of Boolean modules. 
In this paper we extend this idea and use Peirce algebra to accommodate terminological 
representation languages even more expressive than ACC. 

Terminological representation languages have two syntactic primitives, called concept') 
and roles. Concepts are usually interpreted as sets and roles as binary relations. As sets 
and relations have simple calculi that can be presented, respectively, in the context of 
Boolean aJgebra and relation algebra, concepts can be modelled in Boolean algebra and 
roles in relation algebra. Concepts and roles also interact in certain ways, and these 
can be modelled as interactions between relations and sets. More specifically, concept- 
forming operations on roles can be interpreted as variants of Peirce product (with two 
exceptions), and an algebraic characterization for such interactions are Boolean modules. 
(The exceptions involve numerical quantification.) Role-forming operators on concepts 
can be interpreted in terms of cylindrification. A natural algebraic presentation for such 
interactions is then Peirce algebra. The advantages for doing so are: First, Peirce algebra 
provides a formal mathematical framework for KL-ONE-based knowledge representation, 
the development of which has, by and large, been implementation-driven and rather ad 
hoc. Second, Peirce algebra provides a natural (equational) axiomatization for reasoning 
about information represented in a terminological language. Third, terminological repre¬ 
sentation can be linked to other areas of application of Peirce algebra. Schmidt (1993), for 
example, exploits the link between Peirce algebra and extended relation algebra and shows 
how terminological representation can benefit from Suppes’ (1976) linguistic analysis of 
English language sentences. 
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Comparing Two Different Approaches to Products 
in Abstract Relation Algebras 


R. Berghammer* A. Haeberer^ G. Schmidt* P. Veloso^ 


1 Introduction 

TltP study of rpiatioii algebras has its roots in the second half of the XIX century with the 
l>ioneering work of Boole and de Morgan. Later on, Peirce in a series of papers developed 
the <ilgebra of relations, and by • lie end of the century Schroder definitively set the basis of 
modern relation algebra in his ■ ignuin opus. The modern development of the topic starts 
with the fundamental work of Tarski and his co-workers (see e.g., [13, 5, 8]). In the early 70’s 
relations and relational calculi began to be used for formal programming by deBakker and 
de Roever. In the following decade, Hoare and He related the work of Birkhoff on residuals 
with Dijkstra’s weakest precondition approach to programming. Recently, Moller used n-ary 
higher-order relations between nested tuples as elements of a language in which to specify and 
develop programs and Backhouse et al. developed a theory of data types based on the calculus 
of relations. 

During the development of relation algebras as a formal programming tool, the need of some 
form of “categorical product” of relations became apparent, whether as a type or as an operation. 
This need was motivated by the lack of variables over individuals, which by itself is one of the 
main advantages of functional and abstract relational approaches to program development. Two 
approaches to this kind of extension arouse in the late 70’s and the early 80’s, which will be 
referred to as the “Munich approach" [10,3] and the “Rio approach” (7,15]. Both of them rely on 
relation <iigebras as presented by Chin and Tarski [5]. The former uses heterogeneous relations 
and undertakes the “product-extension” as being a data type by axiomatically introducing two 
projections tt and p and defining the product in terms of them. The latter uses homogeneous 
relations and introduces axioms for a fork operation V, thus extending relation algebra in the 
same way .lonsson and Tarski in [8] extended a Boolean algebra by means of operators in order 
to obtain a relation algebra. The introduction of V induces a free groupoid structure in the basic 
set of the relation standard model of relation algebra, which by allowing the internalization of 
relations p< ses some interesting representability questions [Ij. 

The Munich group started from giving relational semantics to programming language con¬ 
structs and constructing semantic dommns by relation algebraic means. They worked with 
heterogeneous relation algebras [12], introduced the point axiom [11] for these and discussed 
how representability depends on it. Defining the symmetric quotient [2, 16] made it possible to 
handle set and function comprehension. 

The Rio approach, motivated mainly by the development of a relational programming calculus 
not bounded by lack of expressiveness, first tackled the problem — posed in [13] and formally 
treated in [9] — of the impossibility of expressing first-order formulae with four or more variables 
ill abstract relation algebra. As it was shown in [14], the expressive power of the Boolean algebra 
with operators resulting from the extension of relation algebra with the V-operation encompasses 

*Fak. fur Informatik, Universitit der Bundeswehr, Werner-Beuenberg-Weg 39, D-85577 Neubiberg (Germuiy) 
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that of first-order logic. In using this calculus, they developed various case studies on formal 
program construction, see e.g., [15]. Some interesting work has been done concerning the problem 
of the smooth transformation by calculation of expressions universally quantified by means of the 
construction 1^ (the complement of the relational composition RS). Among other techniques 
under study, this was accomplished by the use of residuals in other ways than a straightforward 
solution .V of inclusions of the form XR C S, which lead to a weakest precondition style of 
program construction. 

This paper reports research work under joint development by the two groups. In this extended 
abstract we only compare the two relational approaches to products. The full paper also deals 
with some further topics like the formal construction of programs using abstract relation algebra. 

2 The Munich Approach to Direct Products 

Most operations occuring in real life involve several arguments and several sorts. Using relation 
algebra as a programming calculus, therefore, requires a means to deal with direct products and 
n-ary operations. In the following, the Munich approach to direct products is presented in a 
short manner. Also the monomorphy of the product is investigated. 

In the Munich approach, direct products are characterized by means of natural projections, 
see [d, 2]. Then, one obtains the following specification (where 1 denotes the identity relation 
and L is the universal relation). 

Definition. Given two relations ir and p, we call the pair (rr,p) a direct product, if 
(1) ir^ir = 1 (2) = 1 (3) irfl-^npp^ = I (4) x^p = L. 

In this setting, ir and p are called the natural projections. □ 

It is easy to verify that the projections from a Cartesian product X X y to the components X 
and y (considered as heterogeneous relations) are a model of (1) through (4). In this standard 
model we have: From (1) and (2) we get that the projections are univalent and surjective. 
Inclusion C of the third axiom ensures that there is at most one pair with given images in X 
and y; the other inclusion means that r and p are total, i.e., there are no “unprojected” pairs. 
And, finally, condition (4) describes the fact that for every x e X and y E V the pair {x,y} is 
indeed conttiined in X x Y. 

We now investigate the question of how unique the direct product is determined by these 
rules. To this end, we need the following notions. Let R and 5 be two relations and consider a 
pair 7i := (4>, ♦) of functions. H is called a homomorphism from U to S if 1? C ♦5'!'^ holds. 
If, in addition, the pair (4>^,'^^) is a homomorphism from 5 to R, then 7f is said to be an 
isomorphism between A and 5. Therefore, an isomorphism (♦, #) between R and S is a pair of 
bijective functions ♦ and ♦, which satisfies the condition R'9 = ♦S. 

By purely relation-algebraic reasoning, now, it can be shown that the direct product is 
uniquely characterized up to isomorphism: 

Theorem 1. Assume that two direct products irr,p) and (jr',p') are given together with two 
bijective functions ’I'l and #2 such that the products jr'i’iir'^ and p^zP'^ *^Te defined. Then 
the pair (#,4'i), is an isomorphism between ir and ir' and the pair (♦,♦ 2 )) is an isomorphism 
between p and p', where the bijective function ♦ is defined as $ tr'i’ix'^ n pi/ 2 P^■ D 


3 The Rio Approach to Direct Products 

.Now, we sketch the Rio approach to products. This approach is based on homogeneous relations 
and a fork-operation V extending a relation algebra. The axioms of fork are as follows: 

(5) RV5 = R(IVL)nS(LVI) (6) {RVS){PVQf = RP"^ n SQ'^. 
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It is a classical result that (homogeneous) relation algebra is inferior in expressive power to 
predicate logic. However, homogeneous relation algebra extended with a product using the 
operator V and axioms (5) and (6) has the same expressive power as predicate logic [14]. 


4 Comparison 

We are now going to compare the product axiomatization of the two approaches. In particular, 
we present a cross-derivation of either approach using the axiomatic presentation of the other. 
This is a little bit complicated as it means a comparison of results in a homogeneous and in a 
heterogeneous relation algebra. So we cannot in all cases expect textually identical results when 
simulating one feature in the other type of algebra. 

First, we express k and p via V. To this end, let a V-extended homogeneous relation algebra 
be given. We consider partial identities, i.e., relations contmned in the identity relation 1. In the 
case of a relation on a set X each partial identity S C X xX describes a subset of X, viz. the set 
{z € A' : (x,x) £ S}. It is easy to prove that partial identities are invariant under transposition 
and that composition of a partial identity with itself is idempotent. Thus, we are able to prove 
the following theorem defining the two projections in terms of the operation V. 

Theorem 2. Let three partial identities Sx,Sy, and S be given satisfying the property 

S = (SxVLf(SxVL)n(LVSYf(iVSY). 

Then it is possible to define two relations x := and p := (LViy-)^ such that the 

intentions of the above definition are met in the following form: 

x^x = ix P^P = iY xx^ n i x^p = 6x L n Liv. □ 

Now we deal with the other direction, i.e., the description of V via the two projections. 
Therefore, we assume a heterogeneous relation algebra. Then we are able to prove: 

Theorem 3. Let a direct product (x,p) be given. We define for this product an operation V 
(in infix notation) by RVS Ax^ n 5p^. Then we obtain the equation 

= «(IVL)n5{LVI). 

If the point axiom (see [11]) holds, i.e., the relation algebra is representable, then we also have 

{RVS){PVQ)^ = RP^ n SQ"^. O 

One might ask whether the second statement of this theorem (of which “C” is rather trivial) 
could also proven without assunting the additional condition. Over the years we have tried 
very hard to solve this “unsharpness-problem”. For example, in [3, 16] some weaker conditions 
than the point aodom can be found. Today, we believe that a proof of inclusion “3” without 
conditions is not possible, i.e., that there are models of the axioms of a heterogeneous relation 
algebra in which holds. 

We have shown that one approach may more or less directly simulate the other; so either 
one could be taken, the Rio approach with partial identities, as well as the Munich approach 
using heterogeneous relations. It should be mentioned that the major part of the proofs of 
the theorems were developed with RALF, a relation-algebraic formula manipulation system and 
proof checker developed in Munich [4] and re-implemented on a different hardware-software basis 
by the Rio group. 

Finally, let us shortly discuss some advantages and disadvantages of the two approaches. 
While using partial identities, there are no problems with the appbcability of operations. How¬ 
ever, when nonfitting relations are multiplied, the result will often be the ntdl relation. On the 
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other hand, a supporting r.jnipnter system such as RALF or RELVIEW should refuse to operate 
on nonfitting relations. Heterogeneous relations fit neatly into the way of thinking with sorts 
or types in Computer Science. Working with matrices and vectors might even let engineers feel 
comfortable since they are accustomed to them. A second difference between the two approaches 
is with respect to the existence of models. In the heterogeneous case, one can work with small 
models that certainly exist, such as the set of all boolean n x n,m x m,n x m,m x n-matrices. 
Ill (diitrast, already the very first examples in the other case is burdened with the question of 
whether the base set of all the partial identities is free of set-theoretical antinomies. There is also 
another important difference. When working with relations RC X xY between sorts and types, 
one has the possibiUty of distinguishing the categorical object X from the domain /ZL where the 
relation is “defined”. This difference, to which computer scientists are very much accustomed 
is usually hidden when using partial identities, since then one would have to manipulate two 
partial identities to fuUy handle R. In [6], pp. 334-354, however, a new kind of objects, called 
problems is studied taking this into account. 
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Specifying Type Systems with Multi-Level Order-Sorted Algebra 

Martin Erwig* 

We ahow how to uee order-eorted algebraa on multiple level* to deacribe type ayatema aod language*, 
in particular, data model* and query language*. It ia demonatrated that even advanced aapect* can be 
modeled, including, parametric polymorphiam, relationabip* between difletent aorta of an <q>eration’* 
rank, the apecification of a variable number of parameter* for operation*, and type conatructora uaing 
value* (and not only type*) aa argument*. 

1 Main Idea 

The concept of multi-level algebra waa initiated from our work on extending data model* by new data 
[2]. Although many-aorted algebra can be conveniently uaed to deacribe non-atandard data mod- 
ela many important aapecta remain unformalised. Even the gmeralisation to order-aorted algebra [4], 
though nicely expreaaing aubtypea and the notion* of inheritance and overloading, ia not able to mo^l 
fundamental concept*, auch aa, parametric polymorphiam. Parametric order-aorted algebra [3] offers a 
partial solution, but there are still dependencies that cannot be expteaaed. For example, it is not clear, 
in general, how to define a parametric module that ia not allow^ to accept an instance of itself as 
parameter, which is needed, for instance, to define unnested sequences. 

In contrast, this is possible with two levels of order-aorted algebra. The idea (in the two-level case) 
ia to use a signature to describe a type system (or, language of types) where sorts denote sets of type 
names and operations denote type constructors. The values an ^gebra for such a signature are then 
uaed as sorts of another signature now describing a language having the previously defined type system. 
This approach is not limited to two levels, and there are indeed reasonable ^plications of three-level 
algebras. 

2 Kinds: Describing Ad Hoc and Subt 3 rpe-Polymorphism 

Suppose we have to define an operation **<” on numbers and strings (and possibly several other sorts). 
One approach is to give each signature entry separately. This becomes tedious as the number of data 
types for which “<” is defined grows. So it is much more convenient to group all the sorts in a kind [1], 
for example, ORD = {nat, int,str}, and then to define all signature entries by a type scheme: 

V ord € ORD. <: ord x ord —• bool 

Apart from saving space, this notation is more descriptive w.r.t. the language, being defined since the ad 
hoc polymorphism of “<” is not “scattered” over different places in the signature. 

Subtype-polymorphism, too, can be specified using kinds: First, define for each sort s (having sub¬ 
sorts) a kind SUB, containing * and all subsorts of s. Then introduce for each operation /: * — f a 
specification: 

VoeSUB,. /: «r — t 

3 Two-Level Algebra: Type Constructors and Parametric Poly¬ 
morphism 

A type constructor takes one or more types as arguments and produces a new type as result. The sequence 
constructor (seq), for example, takes a type, say, int, and produces the type containing all sequences 
of integers. Of course, seq may be applied to other types as well, but in some languages where nested 
sequences are not allowed (for instance, database languages) it must not be applied to sequence types. 
In that case, the argument types for seq are a proper subset of all tjrpes and can be grouped into an 
^propriate kind. Similarly, tlM result types form a kind, too. 

Now we can regard kinds and type constructors as sorts and operations, respectively, of an order- 
sorted signature. example of unnested sequences can then be expressed as: 

’FemUaivaiiUt Hac«n, PnktwdM lofatmaUk IV, Pwtfach 940, S800 Kaccn, GennaBjr, « rw i t <f e n Buu-hstM>.de 



typMystam unnbstbo 
Idoda ARC. SEQ 
tcona int, str, bool; —> ARG 
•eq; ARG -* SEQ 

In the eequel we shnll ptenime the vnrinble qunntifientiooa ‘V eef € SEQ” end ‘V ery € ARG”. Now we 
can epecify operntiona on eequeneee •• foUows. 

languago LISTS 
typoe from unnbstbo 
ftuu nil: —• «ef 

c«m: ary x aeq(ary) -* aeq(afy) 
hd: aeq(ary) -» ary 
tl: aeq(ary) — aeq(ary) 
length: aey -* int 

Note that "V aey € SEQ. $tf denotea the aame types aa ary € ARG. aeq(aty)”. Thua, we can uae aey 
in the type qie^cationa for nil and length aince we do not need to ider to the argument type of the 
reapective aequencea. 

The signature UNNBSTBO defines merely the typing of type constructors. The semantics usually 
consiats of two parts: On the one hand, algebraic properties of type constructors can be specified by 
equations (for instance, associativity of a product operator). The set of sorts is then takra modulo 
such a specification (in our example this was not necessary). On the other hand, the effects of type 
constructors on the carrier sets ne^ to be given by additional functions. Formally, we can capture this 
by the following definition. 

DeRrution (Multi*Leval Algebra) An order-sorted signature is a l*‘-leee/ siynstsie, and an order- 
sorted algebra is a !**-/<«</ siyekru. Given an n‘''-level signature (5, <, £) and an n^-level E-algebra B, 
an order sorted signature (5*, <', S') is an n -f l*‘-iese/ siynsfsre depending on £ and R if S' = Uiss **- 
A £'-algebra A is an n -f l*‘-/eee/ s/yekru if for each € E there is a function of (called type 
constrsctor) and if for each s € S' such that s = of_j(ti,...,t«) (srith tv =: Si ...Sn and U € sf for 
1 ^ have ss fff,,(t^,.. .,t^)• The functions of,, define the constrsctor semantics for E, 

and A depends on (the higher le'^) B and the constructor semantics fot E. □ 

Note that the individual algebra levels are denoted by counting backwards (with regard to the ccmstruc- 
tion history). That is, an n -f l*'-level algebra A (or, Ai) depending on the n'^'-level algebra B (or, A}) 
is said to be on the first level whereas B is said to be on second le^, and so on. In particular, when E 
is used to describe types, we also say that E is on fype level and E' is on /snyvsyc level. 

The constructor semantics for the seq constructor is defined by: 

seq(s)^ = seq*(r*) = (s^)* 

4 Lifting 

According to our definition, type constructors are working exclusively on types. But there are constructors 
that are also based on values. Tbe array constructor, for example, takes in addition to its ctunponent 
type two values of an ordered type. Similarly, the string constructor takes a number n and denotes the 
set of strinp of length n. 

In order to retain the clear separation of the kind/type/value levels Carddli [1] pri^uM to "lift” 
values onto the type level (and the corresponding types onto the kind level). With regard to the two 
examples, this means to introduce for each value n € nat a new type n with the carrier being n'^ = {n}. 

Moreover, we create a new kind, nat, with nat* = {n | n € Then array and string can be used 

exclurively <» the type level, as in arrsy(T,9,bool) string(23). 

Let El denote the subset of type constructors that need lifted types. In order to qredfy a type system 
and Ungtmge neing types constructed by operations of Ei the following steps have to be performed (for 
a two-level algebra): 

(i) Define the type system without Ex. Call the rignature Eo- 

(ii) Define Eg, the part of the language not needing types constructed by Ex- 

(iii) Perform lifting of Eo and Eq, and add Ex to Eo, that is, define E = Eo U Ex- 

(iv) Finally, define E' with regard to E. 




1 




If thetc ate conatructon that uae valuea of a type that ie built by a conatnictor of Ex, we have to repeat 
the laat two atepa. If only one lifting ia neceaaary, we can apecify £x together with £o >■> one atep. Thus, 
array can be rMned by (we do not liat lifted kinds explicitly): 

typnsystem auuys 
kinds ANY 

Icons nat, att, bool: ^ ANY 

stray: nat x nid x ANY -» ANY 

Since sorts constructed by array ate of kind ANY nested arrays ate allowed by this definition — compare 
this to the definition of seq from above. (The same effect can be achieved by exploiting the poperties of 
order-sorted algebra and defining a kind ARR with ARR < ANY.) The constructor semantics are given 
by: 

array(n,m,f)^ =array*(n-*,m^,t^) = array*({n).{m},f^) = {n,...,m} — t-* 

Opaatkma on arrays can be defined by (assume quantifications ‘Y say € ANY” and Y n, fn € ^”): 
tjrpos from ARRAYS 

fiuM newarray: nat x nat x say -• array(n, m, say) 
select: array(n, m, say) x nat —> say 
update: array(n,m, say) x nat x say —• array(n, m, say) 

Note that with the above definition range checking (for select/update) is not expresMble on the type level, 
for example, an expressioo aelect(newarray(l,9,true), 15) is type correct w.r.t. to the above signature. 
By introducing a third algebra-level range cheeking will become possible. (Then arrays can be defined 
in a mote general fashion baaed on a class of subrange types.) 







5 Three-Level Algebras 

Consider the function [ ] for constructing sequences, which is defined for an arbitrary number of argu¬ 
ments. The signature entries ate: 

(l:^se, 

H : ary — seq(sry) 

: sry X sry seq(sfy) 

To denote these signature entries we need for each argument type ( a kind containing all product types 
over t. This can be achieved as follows: We define a kind ctnutructor list (this is an operation on level 
three with the same semantics as seq). Now, list(/f) denotes for a kind K all sequences of sorts from K. 
If, for example, Ibe quantification Y sry € lis^Kaat)” binds the sequences (), (nat), 

(nat, nat),... to ary. The desired product types can be obtained by "inserting” a ”x” type constructor 
between each two a4jacent types in a sort sequence. This is achiev^ by the higher order function fold: 

fold*((r,()) =t 

fold*(o,(<i)) 

Wd'io.^ti,!*,...,!*)) = e(ti,fold*(/,(<7..-,tn))) 

Now the type of [ ] (for nat-sequences only) can be specified by: 

(]: fold(x,list(fifMt)) -* •«l(i»t) 

A more precise account of this kind ct specification requires higher order algebras [8, 9] and a more 
elaborate treatment of lifting. Finally, for the convenient specification of multi-level algebras we need a 
that allowB for tte use of terms of all levds in the definiUon of operations’ rv^. Thu will be 
covered by the full piK>er. 

6 Conclusions and Related Work 

Data models are still an area of ongmng research. Smne reasons for this may be the cmutant identification 
of new applications for database systems and the desire for improving existing models. All the mote 

‘Aut esn be otitsitd by lifting. 
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it ia aurpming that no feneral framework ia uaed, though, to deacribe the large variety of roodeia. By 
uaing moiti-le^ algebra we can deacribe different modela within the aame formaliam. In the firat place, 
thia helpa exhibiting relationahipa and differencea which ia neceaaary to fully underatand and judge 
data modela. Poaaibly, thia could be uaed for iraplementationa of one model by meana of another or 
for inveatigationa in the integration of heterogeneoua databaae aettinp. If nothing elae, the preaented 
framework reveala the high complexity of aeemingly aimple data modela, for example, the deacription of 
the relational model needa the full range of concepta indicated above (that ia, lifting, three levela, higher 
order algebra). 

In fact, two-level algebraa were already uaed in [12] to apecify categoriea with certain propertiea for 
theoretical investigation and in [7] for the formalisation of the compoaitiem of apecificationa. In contraat, 
our concern ia the apecillcation of type ayatema, more apecifically, the formal description of data roodeia 
and languagea. In thia reapect, the work of [5] ia aimilar, although mote directed towarda the 
deacription of a apeciftc ayatem architecture. Particular differencea are that [5] doea not conaider lifting, 
that no apecification language exiata, and that the approach (like [12, 7]) in limited to two levela. Another 
difference between [12, ^ and our work ia that we employ more than only one aort on level two. In [2] 
many i 4 >plicationa of multi-level algebra can be found. Thia includen the formalisation of graph types, 
hetei^eneoua sequences, and some operations with a variable number of anuments. In the full version 
of this paper we will give a specification of the relational model and an NP'model. 

Finally, let ua summarise some points counting in favor of using multi-level algebra and exhibiting 
its primary scope. 

- Parametric polymorphism is expressible. 

- All kinds of polymorphism (subtype, ad hoc, parametric) are deacribable within one formaliam. 

- Type systems can be easily extended by new structures (graphs, heterogeneous sequences). This is 
important to meet changing requirements of new ^>plications. 

- The definition of propertiea of type constructors (for example, associativity) is separated from the 
constructor semantics. 

- Recently, fairly general approaches to the type checking of languages defined by many-level signa¬ 
tures have become available [10, 6, 11). In many cases, these methods are directly applicable to 
languages defined by multi-level algebra. 





■vS) 
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1 Introduction 

We fwopoM a eystem for mdtmut development whkh k aimed at merging the advantagea of uaing methods from 
algebraic specification with features knom from object-oriented systems, namely rapid prototyping, evcdution- 
ary programming, and reusability. Our proposal k a refinement of earlier work where we prtqMsed to access 
frmctionally specified abstract data Qrpes from imperative modules [5]. 

A project k ccnnpoeed from modules with the usual ^>erations of import, parametrisation, and re n a min g. 
There ate three kinds of modules. Modules can be either functional, state machine, or imperative. 

FVuctionai modules ate qtedfied in the executable first-order specification language SODA (specification in 
order-aorted data algebras). Data algebras are initial algebras of a modest extension at order-sorted algebra [2] 
by sort constructors and parametric polymorphism (fi]. Derived frinctions ate defined by recursive definitions 
as a conservative extension of the data algebra. 

The other kinds of modules (state madiine and imperative) deacribe the non-fiinctional parts of a project 
(e.y., interaction, database access). Their operations can not be used from functional modules. A state machine 
module defines a state and operations to manipulate the state and/or provide information about the state to 
the outside. 

Imperative modules play an important role for our system to be interesting for teal wcwld projects. At any 
point of the design process the implementation ot a functkmal at state machine module can b« replaced by an 
imperative module. Of course thm k the requirement that replacements of functional nwdules remain side 
effect free. 


2 Foundation 

The foundation at the data algebra for functional and state madiine modules k an extension of order-sorted 
algebra (OSA). While ordinary OSA employs a partial order of sorts and provides parameterisation only throu^ 
module instantiations, we follow Hanus [3] by extending OSA with parametric polymorphic sent constructors 
and with a mechanism similar to record extensions as proposed by Wirth for the language Oberon [9,10]. While 
Hanus defines a two-levd semantics for polymorphic structures, we give a different (one-level) semantics as an 
algebra that employs truly polymorphic data values. 


2.1 Preliminaries 

pf''*(fif) denotes the set of finite subsets of M. For a function and A' C A /U* denotes the restriction 

of / to A'. We write St for the k-tnple (oi,..., as). 

A ranked alphabet Ska finite set of symbols with a total funetkm — denoting the arity at the symbol, 

X € S(*) abbreviate x € 6 and a(x) = k. The set TmiV) at S-terms over a set of variables V k the smaUest 
set T where V Ue(») C T and for aU * € W. X € e<*>, f j, ....!» € T it bolds that x(fi, • • • ,<*) € T. If V = # 
we write T*. The set of all variables occurring in term t k w(t). A substitution k a function o: V -» TaiV) 
where ov yl v only tor finitely many v € V. Denote the set of substitutions over Te(V) by Subst(6, V). A 
substitution o k extended to a function &: ToiTV) — T*(TV) by d|v = u, o’lem = it, and for x € 0^*^ end 
ft,...,tt € T*(7V) d(x(<i. • • •.<*)) = X(^ii • • W»)- Pw convenience we write o instead of d. A renaming k 
a subi^tution that permutes the variabim. Renaminp induce an equivalence relation =C Te(V)’. 





2.2 Sort* and signatures 

A polymorphic order-sorted signature £ = (6, A) consists of a ranked alphabet O of sort coastractors 
and a finite set A of operator symbols with a total function a:A —> f^n) \ {1} where Dn = 

{(fj •••TW.Tb.C) I Ti 6 Ta(TV),C € C} denoting the arity of the symbol. C is the set of constraint sets: 
C = pf'’'(TV X ro(TV')); if C € C and o € TV there is at most one pair of the form (o, r) g C, furthermore 
C can be linearly ordered to {(oi.n).(om.rm)} so that Oi occurs in Tj only if i < j. 

A polymorphic data structure declaration (PDSD) simultaneously defines a relation < on To, sort terms 
without variables, and the arity of the data constructors. A PDSD is a system of equations of the form 
X(?f() = ... -► r q- ... -f- (..., cd,...) where x € o» € TV, and r,n g 7e({ai,.. .,a;}). A constructor 
ieclnmtion cd ;:= c | c{fk) declares the arity of c g A to be o(c) = {(ti .. .r>,x(2E7),i)}. 

The sort graph of a PDSD is the directed graph with vertices 9 and edges (x —' x') if there is an equation 
x(<ST) = x'(^) + ... Call a PDSD well-formed if its sort graph is acyclic. 

For a well-formed PDSD define a rewrite relation >-C To(TV')* by x(^i. ■ • - , tj) >- r' if there is an equation 
x(S7) = r -t-... and r' = r[ri/ai]. >- denotes the reflexive, transitive, and 9-compatible closure of >-. 

Define <C Te x Te by ti < tj if either fj = x(^i. - • •.»>). h = xC*!. - ■ rj < t/ for 1 < i < t, or 

<1 >- <2 1 1 ^ I'l- relation < is a partial order. < can be extended to T%(TV) by adding the rules a <a 

for all a g TV and defining ti <' tj if 3(2 = (2 such that (| < tj. 

Call a well-formed PDSD coherent if < is a type order, i.e., < is a partial order and if there is an upper 
(lower) bound of ri, rx g To(TV) then there is a least upper (greatest lower) bound denoted by r| U rx (n n r 2 ). 
For technical reasons we require all PDSDs to be coherent. 


2.S Algebras 

A polymorphic order-sorted algebra (A, t) with signature £ = (9, A) consists of 

• a family A = | r g Ts(TV)} of carrier sets indexed by (equivalence classes of) sort terms where for 

all r, r' € re(rV) A^ C A*^' if r < r* and also for all «r g Subst(9, TV) it holds that A^ C , and 

• a total function t: A —» Ops(A) (an interpretation) where Ops(A) = A^‘ x ... x A*^* -• A'* | t* g 

re(TV')} and t maps /:(ri.. .r„,Tx,C) g A to an element of x • • • x —► A**^® | tr g 

Sub8t(9,rV'),<» < r € C s> va < TjTi y r^}. 


2.4 Terms 

During the formation of terms we are given a value v of sort r and want to apply operation /: (ri, rt), C/) € A. 
/ is applicable to v if there is a substitution <r such that or < ori and the inequations trC/ are satisfied. We 
give a non-deterministic procedure SOLVE that is an adaption of the algorithm MATCH of [1] to our situation 
combined with some simplification rules. The procedure is given a set Co of inequations on sort terms as input. 
Upon termination it either yields a substitution o that satisfies Co or fails if no such o exists. The following 
d^uction rules are applied to the initial set of inequations C/U{r< n} and the identity substitution id. 


Cu{x(m<x(r!)},ir 
Cu{ri <ri,...,Tt< 
Cu{a<o},tr o g TV 
C,o 


( 2 . 1 ) 

(2.3) 


CO{r<r'},(r r ^ TV 
Cuir<r"},<r 


r'yr" 


CU{a<0),<r o^UeTV 
C[o//9],(ro[^h-.o] 


( 2 . 2 ) 

(2.4) 


Cu {o < T,o < r'],<r 
CU o < r n r^},o 


fail, if ^r n T* 


(2.5) 


CUfr < 0,7^ ^ ol.g’ 
Cu rUr' < o},a 


fail, if ^r U r* 


( 2 . 6 ) 




Cu {r < o},<r 
'em , O O [o !-► t] 


a ^ var(r) (2.8) 


C u {a < t],o 
C[r/a] , a I 




a ^ var(r) (2.9) 


The rules are applied according to the following plan. First rule (2.1) is applied as often as possible. If now 
rule (2.2) is applic^le we apply it by non-deterministically choomng a rewrite step and fall back to rule (2.1). 
If rule (2.2) was n d applicable but there is still an inequation r < r' where r and r' ^ TV the procedure 
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•ignftla failure and backtracks to the last application of rule (2.2) where there is an alternative left. Otherwise 
rules (2.3) and (2.4) are repeatedly applied. Now rules (2.5) and (2.6) are iterated. Failure at these rules is not 
handled with backtracking. Now all inequations have the form a < r or r < a and for each variable a there 
is at most one inequation a < r and at most one inequation r < a. Rule (2.7) deals with the case that both 
inequations are present for a given variable a. After its application the procedure must fall back to rule (2.1). 

At this stage we have at most one inequation for every variable and it either has the form a < r or r < a. 
The resulting substitution is built with rules (2.8) and (2.9). 

The procedure SOLVE has type p^*"(Te(TV')^) —• Subet(0,7'V'). On input C it runs the rule system as 
outlined above on the initial configuration C, id. If the rules terminate successfully with configuration 9, a- then 
0 ’ is output, otherwise failure is signalled. 

For a signature £ = ( 6 , A) define the term sets 7^ for r € Te(TV) as the smallest solution of 

• if f - (e. 9) € A then / € 

• if /:(ri.. .r„,Ti),C) € A and ti € 7^* for 1 < i < n and o = SOLVE({t/ ^ it \ 1 < i < ft] U C) then 
/(fi, • • ..tn) 6 7^^®. (var(ri) n var(T;-) = 9 can be assumed.) 

The term alfthra is defined as (T, i) where the carrier T = {T' \ r € 7a(TV)} and = U{T^ I r' y 
r" A 3<r € Subst(©, T’V) : 0 t" = r}. The interpretation t is defined for /. (e, r,9) € A by t(/) = / and for 

/:(ti .. .T„, ro,C) and U € T'' by i(/)(li,. ..,!„) = /(li,...,!») if SOLVE({t;' < n | 1 < i < b) UC) succeeds. 

At this stage homomorphisms can be defined and the initiality of the term algebra can be proved. A semantics 
for the derived functions can be obtained in several ways. Either the principle of structural induction is used 
to define total functions on initial polymorphic OSAs (as proposed by Klaeren for many sorted algebras [4]), or 
monotone algebras are used to give a fixpoint semantics for general recursive functions. 

3 Methodology 

In the following subsections we briefly review the specification and programming facilities that may be used 
in the different kinds of modules. In order not to lose referential transparency we do not allow arbitrary calls 
between modules: imperative modules may call any function that is desired, state machine modules cannot call 
functions from imperative modules, and functional modules must only access functions from functional modules. 
This concept (confined to functional and imperative modules) originates from [5]. 

3.1 f^inctional modules 

Functional modules are composed of an interface, a local declarations, and a function definitions. The interface 
provides means to import and combine signatures and sort structures from other modules. Parts of imported 
signatures can be projected and renamed. Imported and locally declared entities can be declared visible for 
export. Nothing is exported by default. The local declarations extend the combined imported signatures by 
providing PDSDs as described in 2.2 and declaring operator symbols. Function definitions are mutually recursive 
definitions of locally declared operator symbols. Let £ = (O, A) denote the signature formed by imports and 
local declarations. The form of a definition is /(xi,.. .,x„) = e where /:(ri ...tto,C) € A is locally declared 
and e € ^^({xi,..., x„})^®-^ under the assumption that Xi € The set of right hand side expressions Ez 
is an extension of Tz by the constructions 1 st v = e in e' and caas eo of ... Cj(vi,..., vt) '• <> ■ ■ ■■ 

Modules can be parameterized with respect to a signature. A parameter signature is specified by declarations 
of operator symbols and by PDSDs without constructor declarations. Parameter instantiation is provided as an 
extension to the import facility in the interface section. Proper instantiation is checked by matching signatures. 

3.2 State machine modules 

A state machine module can be regarded as the definition of an object class. It has interface and local declara¬ 
tions in the same way as functional modules. Additionally it declares a specific sort to be the state. The state 
sort can also be an extension of a supersort. This means that the arities of all constructors of the supersort are 
extended with identical additional components. Thus we can have multiple inheritance statically by means of 
OSA and single inheritance dynamically by means of the constructor extensions. State machine entities can be 
created dynamically and each entity has its own local state which is initialized at creation time. 

Furthermore, a state machine module contains definitions of operations that take the state as implicit argu¬ 
ment and may update it destructively. Operations may invoke other operations, and they can return values. 
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An opcrntion / i* defined by /(xi,...,e„) = let retarn e, e g Ej:, where each nn € Mj:, «-e-, 

it ia either an expreaaion m = e € fs, or an aaeignment m = k = e for e € Es, or a case decomposition 
m s ease e of .. .C;(vi,..., vt) :7R...,me A/£. 

3.3 Imperative modules 

In imperative modules we use the algebraic data structures as a type system for an ordinary imperative lan¬ 
guage. The programming language Oberon already has a record extension mechanism similar to our proposed 
constructor extensions. 









4 Conclusion 

The concept outlined above appears promising since it combines a specification method for abstract data types 
with clean handling of state. The restrictions that we impose on inter-module calls allow for an efiScient 
implementation since it is possible to take advantage of the referenti^ transparency in the implementation 
of functional modules. Most of these advantages carry over to state machine modules since side effects are 
restricted to updating the state. The imperative modules are provided as a last resort, for example for system 
level operations. 

By using an order-sorted framework we gain flexibility compared to our earlier work which builds on many- 
sorted algebras and does not have the concept of state machine modules [5]. The improved flexibility entaib 
better reusability and the possibility for evolutionary program design. 

We have a functional language implementation toolkit around an implementation technique that we have 
developed in earlier work [8,7]. We are currently preparing an implennentation of the front end for the functional 
part of SODA in this environment. Furthermore we investigate the extensions needed to implement the state 
machine modules. For the imperative part we consider an extension of the programming language Oberon [9] 
with algebraic datatypes and overloading. 
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Category Theory for the Configuration of Complex Systems 


Gillian Hill * 


The abatract framework of category theory is shown to provide a precise semantics for the config¬ 
uration of complex systems from their component parts. Diagrams, defined as functors between 
categories, express configuration by representing the operations of combinators on recursively de¬ 
fined system components. Although modularity has been described as an essential property of 
complex systems, no clear and simple definition of a module has emerged at this general level. In 
this paper a new module concept is defined to represent reusable system components, at any level 
of development. The semantics of system configuration is given by the construction of colimit 
diagraiits. 

A category theoretic semantics was given in [BG77] for putting theories together to make specifi¬ 
cations. The activity of specification was viewed as theory-building in [TM87, Vel85] and interpre¬ 
tation between theories was formalised in a categorial framework in [MF90]. Category theory was 
used to define an abstract specification theory for refining specifications in [UG90]. In this paper 
these ideas are extended to provide a precise semantics for both structuring and implementing 
system components to configure a final executable system. 

A language for configuration, designed in [Hil92], is at a meta-level to a specification language and 
describes the operations of combinators on the specifications and modules that represent the system 
components. High-level combinators express the horizontal structuring of both specifications and 
modules by extension and parameterization; and also the vertical development, which is part of 
the design process, by implementation. The relationships between the component parts of systems 
have been identified at an intuitive level in order to choose appropriate high-level combinators for 
configuration. The high-level combinators have then been defined formally in terms of the more 
primitive combinators: interpretation, extension and conservative extension. A logical system 
includes the configuration theory and the application theories, to be configured. The logic for 
configuration must possess the strong Craig interpolation property in order to preserve conservative 
extensions of structured specifications under interpretation. 

The aim of this paper is to present a logical framework for the configuration of modular systems 
that is independent of any particular specification approach, design methodology or programming 
paradigm. First-order logic is chosen to express new operations for horizontal structuring and 
vertical implementation within a conceptual framework that is both simple and natural for engi¬ 
neers to use. System components are represented in a uniform development space by recursively 
defined objects with sorts in the set {specification, modnle). In (Hil92] specifications are presented 
as objects in textual form that record the history of configuration as a sequence of operations 
by the combinators on recursively defined objects. In this paper the abstract category-theoretic 
semantics is functional with the primitive combinators represented by naturtti transformations 
between recursively defined diagrams. 

We define a diagram as a functor from the category of graphs to the category Conf of configured 
objects when the limit of the functor exists in Conf. The functor labek a graph, which has a 
only a shape, by the specifications or modules, as the objects, at the nodes and by the morphisms 
between the objects as the arrows. The natural transformations that join objects, represented 
by diagrams, to form more structured diagrams become the morphisms between objects in the 
diagrams of the more structured objects. The semantics of the high-level combinators is given by 
the construction of colimit diagrams that express the joining together of structured objects that 
may share common parts. Morphisms representing conservative extensions are shown to be crucial 
for completing the construction of these colimit diagrams. Our definition of a diagram is based 
on that in (GMU88] but we change their presentation of the structured specifications. In addition 
we provide a more concrete semantics for our configuration language. Thk is given by a set of 
well-formed diagrams, that name both the objects at the nodes and the primitive combinators 

'Department of Cbroputing, Imperial College of Science Technologjr, London, SW7 2BZ, gahOdocJc.ac.uk 
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operate on these objects. Th^ more concrete diagrams are the elements in the models for 
the configuration language and represent the structured objects. 

Our new module concept is proposed as an aid to managing the complexity of large systems by 
focusing on building systems from reusable components at any stage in system development. A 
module is created by a combinator from the textual specification of an object, and the semantics 
of module creation is based on the construction of a colimit for the diagram of that structured 
specification. Any number of uniquely named module instances can be created from a specification 
at any stage in system configuration. Modules may be created from primitive specifications before 
they are structured, or alternatively from complex specifications at the end of the structuring pro¬ 
cess. Similarly modules may be created from abstract specifications before they are implemented, 
or alternatively they may be created from concrete specifications at the end of the refinement 
process. 

As a simple example, obj one.roomcdJioute, structured as spec houtc(module rooml], may be 
instantiated to spec house [module bedroom]. Alternatively, obj twojoomcd^ungalow 

may be instantiated to spec house .. 4 .,. [module kitchen, module bedroom). Mod¬ 

ule instances, uniquely named, may then be created for each of these structured specifications by 
an operation which is safer than low-level copying. The module instance of the house with one 
room as a bedroom will be structurally identical to the module instance of spec house ^ [spec 
bedroom). Their textual specifications would record different histories of specification, however: 
the first with instantiation by a module; the second by a specification. In the abstract semantics 
instantiation by a module is represented by interpretation between diagrams whose single nodes 
are colimit objects; instantiation by a specification is by interpretation between structured dia¬ 
grams. To configure a house with three living rooms and three bedrooms we would structure a 
house parameterized by two types of room, spec housc[spec rooml, spec room2]. Three modules 
created from each of the specifications for a room could then be instantiated to the actual room 
required, such as lounge or guest bedroom. 

Our approach is intended to be loose and flexible. The engineer is able to choose, at each stage in 
building a system, between building from specifications or modules. The final configured object of 
a software system will be a structured object that is implemented and in the form of an executable 
module. In addition to this flexibility the engineer is able to express explicitly the sharing or non¬ 
sharing of system components. Flexibility is also provided within our theory of configuration by 
the commutative properties of the high-level combinators. We characterize these properties as the 
axioms for our theory of configuration in the style of the algebraic calculus of [BHK90]. 
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In many recent i 4 >plicationa of the algebraic paradigm to formal specification 
methodologies, already known algebraic frameworks (one-sorted/many-sorted/order- 
sorted total/partial/non-strict/generalised algebras with/without predicates equipped 
by equational/conditional/Horn-Clauses/first-order logic) ate endowed with fear 
tures, tailored few special purposes, in order to improve software development; for 
example think of higherorder functions and, in the field of concurrency, dynamic 
dements, temporal logic combinators, or event logic combinators (see e.g. [1, 4, 7, 

8. 9, 10]). 

Although it is often the case that the new features are in a sense orthogonal 
to the underlying algebraic framework and that the same construction applies to 
any sufiiciently expressive formalism, in the practice sd hoc theories are developed, 
neglecting the parametric definition such theories are instances of. This lack of 
generality is conflicting with the ability of changing the basic formalism, and hence 
with the reuse of methodoloipeB, seen as high-levd thecwetical tods for the software 
development. 

In any real application two steps can be distinguished in the process of getting 
the most sust<>ble algebraic formalism: the choice of the most ^>propriate basic 
algebraic formalism (i.e. sufiSciently powerful for the problem, but non-overcomplex) 
and the addition of the features needed in the particular case (e.g. entities for 
structured parallelism or higher-order functions for functional programming). Thus 
here we propose a modular construction of algebraic firameworks, formalized by 
means of operations on institutions, used as a synonym for logical formalism, in 
order to build richer institutions by adding one feature at a time. 

Many constructions used in the practice have meaning only for those institutions 
that represent “algebraic formalisms”. In order to give sound foundations for the 
treatment of such operations, a preliminary step is the formal definition of which 
institutions correspond to algebraic frameworks. Here we propose a first attempt at 
the definition of alff.inic-orienttd institutions, that includes all interesting cases. 

TechnicaUy algebraic-oriented institutions are described by (standard) algebraic 
specifications, so that both theoretical and software tools are at hand to help in the 
building process; moreover algebraic specification users already have the know-how 
to understand and manipulate metaoperations building algebraic formalisms. 

Using this definition of algebraic-twiented institutions, we formaUy define sewne 
operations adding fixtures to basic algebraic frameworks and show that 

the result of such operations applied to any algebraic-oriented institution is an 
algebraic-oriented institution, too; so that the result can be used as input for other 
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operations, building in such way a formalism as rich as needed by the application. 


What is an algebraic-oriented institution Let us ^ve some hints of the basic 
characteristics of algebraic-oriented institutions. 

Analysing the algebraic formalisms present in literature it appears that signa¬ 
tures consist in all frameworks basically of a (poeubly singleton) set of sorit, a 
(possibly empty) family of typed functions and a (posably empty) family of typed 
predicates. Then these ingredients can be structured by means of (meta)functions, 
like higher-order functional sort or product sort constructors and accordingly built- 
in projection functions, or (meta)predicates, like the subsort relation for cffder- 
sorted signatures, or the observability property on sorts. This leads to characterize 
the Mjfetraic~prienieJ signatures as subcategories of models of any partial alge¬ 
braic specification including a standard part, sketched in the sequel, consisting of 
the (meta)sorts S, F and P together with the obvious srify total (meta)functions 
and the auxiliary suhspecification 5treams(sorts S) defining the sort SlSirttm of 
stieams on 5. 


spec = 

enrich Streanufsorts S) by 

sorts F,P 

opns 

ority; F — SJStnam 

Pjarity: P -» S^tream 

Puult Jype: F — S 
axioms 

total{aTitg) 

total{Pjarity) 

Jf/pe) 

Thus, using this powerful internalization, the usual algebraic machinery is at 
hand in order to modularly define the requirements on the syntax, even using rapid 
prototyping tods. 

Consider as an example of ^plication the definition of order-sorted signatures, 
see e.g. [6], where the standard part is enriched by an extra sort to denote the names 
of functions, so that overloading can be allowed, keeping distinct the operations from 
the names used in the language to denote them, and a binary predicate of subsort 
on sorts. Axioms to make the subsort relation a partial order are imposed, too. 


^»«c*l8aosM = 

enri^ Taiga by 
sorts OpJiames 
opns 

name: F -» OpMamos 
prods 

.< j5x5 

. <* j S^tream x SStream 
axioms 

lotal(name) 

» < «'A s'< # D s = s' 
s < s' A s' < s" D s < s" 

aVa 

w <* w' A s < s' D s • w <* s' • w' 

name(/) = name(y) A arityif) <* arUp{g) O resultJppe(f) < resultJgpe(g) 
ovedodiiig ptemtves subsmtiag 
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Theae ui<Mn8 define the minimal requiiementa that any oider-aorted signatue 
should satisfy; note that more sofisticated restrictions can be imposed as well, 
like rtgularitu and coherency, using first-order axioms. Note also that morphisms 
between the models of this specification coincide with order-sorted signature mor¬ 
phisms. 

Accordingly with signatures, models and sentences have to be restricted. Roughly 
speaking models should be some kind of algebras, i.e. they should interpret the el¬ 
ements of sort 5 by sets, the elements of sort F by (poasibly partial or non-strict) 
functions with the correct arity and the elements of sort P by (poasibly non-strict) 
predicates. In particular all “algebras” used in practice, like many-sorted, partial, 
order-sorted, non-strict, etc., can be easily seen in the above way. 

Analogously to the choice made for signatures, sentences are defined as term 
algebras on uniform enrichments of their signatures by the Vltr, rerm. Atom and 
.Sen (meta)sorts and the obvious constructors for such sorts, together with the 
needed connectives, depending on the application that is intended to be faced, like 
first-order operators, tempwal logic operators and so on. 

An example of operation <m al^braic-oriented institutions As an exam¬ 
ple of the operations supported by algebraic-oriented institutions, let us consider 
the introduction of elementary features for handling concurrency in any algebraic 
formalism. The intuitive idea is that some SMts classify dynamic elements and 
hence for any of those sorts a labelled transition system is introduced. Using the 
algebraic-oriented framework, this can be formalised by an operation djyn that on an 
algebraic-oriented institution AO — (AOSign, AOSen, AOMod, whose sig¬ 

nature category AOSign is the model category of a (partial) specification Txosiga 
enriching TaigB, gives as output the algebraic-orient^ institution d 7 a(> 10 ), whose 
signature category dya(AOSign) is the model category of the following (partial) 
specification: 

X|,B(A 08 i«a) =» 
enrich Taosic. by 
ofNis label: S -* S 
trans: S -* P 
preds DyicS 

axioms PjOTity(XTnaa{i)) = a ■ label(a) • a 
D]ni(a) 17(traiia(a)) 
trans is defined only {m dynamic aorta 
l>yn(a) O D(label(a)) 
label is defined <Hily for dynamic aorta 

As the signature category d 7 n( AOSign) is a (full) subcategory of AOSign, models 
and sentences for dyn(AO) are simply the restrictions respectively of AOMod and 
AOSen to dyn(AOSign). 

Several instances this construction have been indq>endently developed in 
applicative projects starting from different basic algebraic formalisms (see e.g. [1,2]). 
Note that, as dyn(AO) is an algebraic-<Kiented institution too, it can be used as 
argument for furtW (q>erations, adding a feature at a time, e.g. temporal logic 
cmnbinators, in a modular way. 

Relatirmships with other f 4 >proaiches This w<»k continties and adds to [3], 
where some operations on institutions were proposed in order to deal with some 
uniform enrichment of logical frmnalisms, that, although arisen in the field of con¬ 
currency, have a general character 

and can be defined on any institution (and on algebraic-oriented institutions 
result in algebraic-oriented institutions, too). 
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Algebraic-ori«iited institutions differ from the abstract algebraic institutions by 
l^lecki (see e.g. [11]) not only in purposes, since algebraic-oriented institutions are 
designed to support the definition of operations among several institutions more 
than constructions on the models of one institution, but also from the technical 
point of view. Indeed using only the categorical characteristics of institutions (as 
in [11]) we cannot add the features of interest, since they explicitly involve the 
components of syntax and the elements of the algebraic models. 

Although algebraic-oriented institutions share with parchments (see [5]) the in¬ 
tuition of using usual algebraic machinery to deal with institution ingredients, the 
aim of parchments is to define institutions starting from some basic syntactic ele¬ 
ments in a canonical way. 


References 

[1] E. Astesiano and G. Reggio. SMoLCS-driven concurrent calculi. In Pnc. 
TAPSOFT‘87, Vol. J, number 249 in L.N.C.S., Balin, 1987. Springer Verlag. 

[2] E. Astesiano and G. Reggio. A structural approach to the formal modelisation 
and specification of concurrent systems. Tedtnical Report PDISI-92-01, DISI, 
University di Genova, Italy, 1992. 

[3] M. Cerioli and G. Reggio. Institutions for very abstract specifications. Sub¬ 
mitted, 1992. 

[4] G. Costa and G. Reggio. Abstract dynamic data types: a temporal logic 
approach. In Proc. MFCS’91, number 520 in L.N.C.S., Berlin, 1991. Springer 
Verlag. 

[5] J. Goguen and R. Burstall. A study in the foundations of programming 
methodology: Specifications, institutions, charter and parchments. In D. Pitt, 
S. Abramsky, A. Poigne, and D. Rydehard, editors. Proceedings of Summer 
Workshop on Category Theory and Computer Proprumminp, number 240 in 
L.N.C.S., pages 313-333, Berlin, 1986. Springer Verlag. 

[6] J. Goguen and R. Diaconescu. A survey of order smted algebra. Draft, 1992. 

[7] K. Meinke. Universal algebra in higher types. Theoretical Computer Science, 
100(2), 1992. 

[8] B. MoUer, A. Tarlecki, and M. Wirsing. Algebraic specification with built-in 
domain constructions. In Proc. of CAAP’88, number 299 in L.N.C.S., Berlin, 
1988. Springer Verlag. 

[9] G. Reggio. Entities: an istitution for dynamic systems. In Recent Trends in 
Data Type Specification, number 534 in L.N.C.S., Berlin, 1991. Springer Verlag. 

[10] G. Reggio. Event logic for specifying abstract dynamic data types. In Re¬ 
cent Trends in Data Type Specification, number 655 in L.N.C.S., Berlin, 1992. 
Springs Verlag. 

[11] A. Tarlecki. Quasi-varieties in abstract algebraic institutions. J. of Comp, and 
Syst. Science, 33,1986. 







On the Correctness of Modular Systems 
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In the design and iraplementaiion of a large system modularity is a critical issue. Large systems need to 
be divided into blocks so that system development becomes more manageable, clear, modiflable and 
reusable. These blocks, known as modules, are self<ootained entities with individual meaning that are 
connected among them in such a way that their interconnections define the intended software system. 
System design involves both the construction of the module struaure at the specification level and the 
implementation of eadi module. Since implementation only appears at the level of each module, it would 
be desirable to ensure that the correct implementation of each module should guarantee the correct 
inq)lementatiOD of the whole software system. 

In this paper, we study the correctness of modular systems in a simple framework, including both 
spedfication design and impleroentation. This framework may be described as follows: 

We consider two institutions. SPEC and PROG, underlying the specification and programming 
languages, respectively. FOr simplicity, we assume that both institutions share the same category of 
signatures and the same model functor. i.e. they differ in the Sent ftinctor and on the satisfaction 
relation. Additionally we assume that both instinitions are semlexact. i.e. they have pushouu and 
amalgamations [EBCO 91]. and are equipped with an inclusion system PXjS 91]. 

A module M is assumed to be a pair of qiecificatioos. M«(IMPJEXP). with IMPcEXP. where IMP and 
EXP denote, respectively, the import and export specifications of M. The resulu obtained can be 
generalized to more complex forms of modules, such as 89. ST 89]. Its meaning is given by an 
associated constructor ModfIMP) -» [ONS 91]. If M1*(IMP1.EXP1) and 

M2»(IMP2fXP2) and f: IMPl -* EXP2 is a specification morphism then we define the composition 
Ml vf M2 as (IMP2£XP2‘). where EXP2' is defined by the following pushout diagram: 

IMPt -► EXPl 


IMP2-^EXP2 EXK’ 
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At Uie model level, the constructor associated to Ml •f M2 is deflned by k icm2> where k is the 
extension of kmi with respect to the above pushout diagram. 

A software system S is assumed to be a triple (SP. MSreC. MPROG), where SP is a requirements 
specification, including the signature of the whole system and the global properties that must be 
satisfied. MSPEC and MPROG are. respectively, (finite) sets of specification and program modules 
whose signatures are included in the signature of SP. In general, we assume that systems may be 
unfuushed. For instance, the signature of SP may not necessarily be the 'union' of all the signatures of 
the modules In MSPEC. I.e. some componenu of the system may be not specified yet.. Also, every 
module in MPROG is the translation of a module in MSPEC (iu implemenution in the given 
programming language) but there may be some modules in MSPEC whose translation is not in MPROG 
(i.e. modules not yet implemented). 

In orda to define the semantics of a system S «(SP. MSPEC. MntCXj) we consider the modules as 
'constrainu* that must be satisfied by the given models: an SP*model A 'satisfies' or 'include' a 
module M ■ (IMP. EXP). A^M iff AIexP * km(AIimP)> 1-C- If the EXP-part of A is the result of 
applying km to the corresponding IMP-pan. If S is finished in the above sense, then its meaning can 
also be defined in terms of the composition of all the modules in MSPEC. Both semantics can be proved 
compatible (see [OSC 89] for a special case). In the tatter case, the semantics can also be defined 
equivalently In terms of the composiUon of all the modules in MPRCX3. 

We consider three basic operations for system development: adding a new specification module to the 
given system; adding a new program module "translating' a specification module in the system, and, 
finally, specifying a simulation implementation (ONS 91]. In the latter operation, we assume that given 
two specification modules Ml »(IMPl, EXPl) and M2 «(IMPl. EXP2) in the system, such that M2 
can not be direaly translated into the programming language, if we find out that a new specification 
module M3 is an implementation of M2 using Ml (with respect to some suiutble notion of behavioural 
equivalence [Rei 81, CH4S 91] in the given instimtions), i.e. 

VA cModOMPl) iq43*Ml(A)«Beh »^(A) 

then we can substitute M2 by M3 in the system. For insuuxx. if M2 is a module specifying seu. Ml is a 
module specifying suings and M3 is a module enriching strings with set operations such that the result 
of forgetting the string operations in the module M3 * Ml is behaviourally equivalent to M2 then we can 
substitute the set specification by the two modules Ml and M3. 

Unfortunately, it may be shown that the latter operation, in general, does not preserve the consistency of 
a system, as the following counter-example shows. Let SPl, SP2 and SP3 be the following 
specifications: 

SPl «NAT aorta $ SP2s aorta nat,s SP2«SP2-«- opna g;s-»nat 

opna a,b: s opna a:s cqas g(a)sf(a) 

cqna a>b 
fix).0 

where NAT denotes the specification of the natural numbers. Now let S be the system formed by the 
modules Ml > (0, NAT), M2 s (NAT, SPl) and M3 * (SP2, SP3). then it can be easily shown that the 
algebra A defined Anat ■ N, As ■ (a). aA « bA «nd fAO) «0. gA(a) - 0 satisfies the three modules 
(assuming that the constructor associated to a module coincides with the associated free construction). 
Now. let SIM be the following specification 
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SPr ■ NAT + sorts s 

opos a.b: s 

r:t-»iiat 

oqos ((x) a 0 

and let M2’ be the niodule (NAT^PT). Now. auumiag Uut nat it an observable tort and t is non- 
obaervable. M2‘ is a correct simulation inqiiementation of M2. However, there does not exist any 
algebra satisfying Ml. M2' and M3. 

This seems to be against the principle of modularity. However, let us assume that the given 
pn^iamming language is tiabie in the following sense (lelated notions of stability [Scb 87, ST 89] ate 
essentially equivalem): 

Given a program module M > (IMP, EXP) if A is behaviourally equivalent to A', with A. A'e ModfSPX 
for a specification (or program) SP including IMP. and if the amalgamated sums A-t-AOAl and 
A'-t-AfyAl' can be built (i.e. the language allows the pushout associated to these amalgamations), where 
AO ■ AIimp. AO’»AIimp. A1« km(AO) and Al’ « icm(AO') then A-t-AOAl and A’+aO’AT are 
behaviourally equivalent 

Then, the problems shown in the above counter-example are not really important. In particular, if S' is 
a finished system, obtained after a series of correct develt^ment steps from a system S. then the 
meaning of the composition of all the modules in MPROG is a realizaiion of S, even if some 
"intermediate’’ systems were inconsistent. 

Theorem 

Let S a (SP. MSPEC, MPROG) be a consistent system and let S'«(SP, MSPEC, MPROG'). with 
SP c SP be a finished system obtained after applying a sequence of translation and implementation 
steps over S, then Sem(S') « {A€Mod(SP)/ VM € MPROG’ As> M) o 0.and. in addition, 
VAC Sem(S') 3BC Sem(S) such that 

AISP«Beh B 
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INTERACTION BETWEEN ALGEBRAIC 
SPECIFICATION GRAMMARS AND 
MODULAR SYSTEM DESIGN 
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' FackbetcK^ lafonaatik 
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* DipartiBMalo di Matcmatiea Para ed Appiicata 
UaivccdU deiK Stadi L’Aiqaila 
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For Ute laat 20 yeara, abatract data typca have been (uaefiilly) deacribed uaing 
algebraic apecificationa, arithin different frameworka including equational inatitu- 
tiona, and aritb diverae aeinantica, from initial to looae to atratiffed to behavioral. 
An extenaion the original formulation which allowa to iaolate a oanaUe part (thua 
generaliiing parametriaed apecificationa) and to hide detaila of the apecification from 
the outaide lua been defined in [9,1,5]. A module ^tecification in auch a framework 
conaiata of four parta : an export interface EXP ape^ying what the module apecifi¬ 
cation products, an import interface IMP deachbing what the module q>ecification 
consumes or needa, a body part BOD deacribing how the module apecification usea 
the imported itema to construct the exported Mica, aad a parameter part PAR which 
can be uctuutiied by different actual apecificationa and which is left unchanged by 
the semantics of the module apecification, which is a functorial transformation from 
the category of models of IMP to the catiqsoty of models of EXP. The different parts 
are related by four apecification morphisma (usually incluaiona) as in the following 
diagram 

e 

PAR . EXP 


a 

IMP -- BOD 

The items not in the image v are to be considered hidden and thus not visi¬ 
ble from other modules. Each module is seen as a self-contained unit which can be 
develc^ped independently and interconnected with other modules. Three basic in¬ 
terconnection mechanisms have been defined to construct complex syatems: a untoa 
MODI + 11 IOD 0 MOD2 where each part is the union of the corresponding ones in 
MODI and MOD2, identifying the MODO part; an uetuuKsution aetk{PS, MOD), 
where a parametrised qiedficatimi PS ta suMtuted via the apecification morphism 
h for PAR in each component of MOD; and a composition MODI oa MOD2, where 
the import IMPl is matched via h with the export EXP2. Each interconnection can 
be viewed as an <^>eration on module specifications which preaerves correctness and 












which |>roduc« » module specification whose semantics can be expressed in terms 
of those of the operands. 

Given a library LIB of module ^>ecificatiotts, an important problem is to de¬ 
termine whether there is a way to interconnect a subset of LIB so that the im- 
p<»t and export inmfaces of the overall system are tome given specifications BASE 
and GOAL. This problem has been tackled in [11, 12, 13] by considering the vis¬ 
ible part of MOD, i.e., the specifications PAR, IMP and EXP, as a production 
p : IMP — PAR —> EXP si^ar to those of the algebraic theory of paph pam- 
mars [2]. A direct derivation p : SPEC ^ SPEC* with such a production p is a 
double pushout diagram 

IMP -- PAR . EXP 


SPEC -- CON - SPEC’ 

where CON is the context specification unchanged by the tnnsformaiion. Denote 
as usual by the reflexive and transitive closure of 

It has been shown in [12, 13] that, given a library LIB of module q>ecifications 
represented by their interfaces PRO = {pj : IMPt *- PAR —* EXPi,i € /}, 
then BASE GOAL using PRO if and only if there exists an intaconnection, 
using only actualisation and composition with identity, of (some of) the module 
specifications of LIB such that BASE and GOAL are the overall import and export 
interfaces, respectively. This result can be seen as a way to construct a prototype 
of a system which, given a (built-in) realisation of BASE, provides a realisation of 
GOAL (which can be used to test the adequacy of the spc^cation) since there is 
a systematic way of translating a derivation sequence BASE GOAL into the 
appropriate combination of the interconnections. 

The miltol item BASE and the set of productions PRO define a grammar, an 
algebraic specification grammar [6] which generates a language £(BASE,PRO) 
whose membership problem corresponds to the realisability of GOAL. 

This solution is not satisfactory for two reasons : the first one is that not every 
intercoimection can be obtained from a derivation sequence (in particular, general 
compositions with non-identity matching morphism IMPl —> EXP2) ; the sec¬ 
ond one is that an occurrence morphism IMP -* SPEC does not guarantee the 
applicability of the production [11], while it should be possible to use only part 
(namely h(IMP)) of SPEC as input of MOD. This suggests the notion of restncfm; 
dertvafion sequences SPO > SPn with 

SPO *- 5P1 =► SPl' — 5P2 =>...<- SPn 
where, having generated 5P0, we can generate 5P1' provided that there exist 5P1 
and a specification morphism 5P1 —» SPO such that 5P1 ^ SPl'. We then have 

Theorem 1. BASE > GOAL via the prodnctiona PRO 
if and only if 

there exists as tsferomnecftsti with general eompositivn and actnaluation using LIB 
with overall interfaces BASE and GOAL. 


m 
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It is direct to siiow that if SP SP*, then SP > SP* but not necessarily 
viceversa and it has been shown [14] that the immediate extension of restricting 
derivation sequences to graphs is more expressive than the single pushout approach 
to graph transformations [10]. 

The approach can be extended is a straigthforward manner to High Level Re¬ 
placement Systems [3]. Such systems have been defined to generalise, in an axiomatic 
way to arbitrary categones, the Parallelism Theorem, the Concurrency Theorem and 
other similar results typical of the algebraic theory of graph grammars [2]. By se¬ 
lecting a distinguished subset M of morphisms to be used in the productioirs, High 
Level Replacement Systems can be classified (at least) as HLRO, HLR0.5, HLR0.5*, 
HLRl and HLRl* dq>ending on which set of generic properties on the underlying 
category they satisfy and which are sufiicient to guarantee properties such as local 
confluency of independent derivations (Church-Rosaa property) or r^lacing a se¬ 
quence Pi o P 3 of independent derivations with one step using their disjoint union 
Pi + P 3 (Paralleliam Theorem). 

Ibecently [4], results on canonical derivation sequences for graph grammars have 
been extended to HLR systems. It has been shosm that canonical derivations exist 
for HLR0.5 systems and are unique for HLRl* systems. A canonical derivation is a 
derivation wUch does not contain two steps pi : £70 ^ f7l and p ps : G1 ^ G3 
where pi : GO ^ Gl and p : G1 ^ G2 are sequentially independent. For non 
canonical derivations in which such a situation occurs, the application of p could 
be shifted esWier to obtain the equivalent dwivation sequence p -f pi : GO ^ G2 , 
Pj : G2 => G3 which increases the leftmost paralldism. Equivalence of derivations is 
defined as the reflexive, symmetric and transitive closure of the shift relation. 

Of the three possible ways of defining the cat^ory of algebraic specifications 
considered [6, 4] only the one which allows to distinguish, through labels, equations 
betsreen terms is the one which guarantees unique canonical derivations, while if 
the specification morphisms /; SPECl -* SPEC2 are such that /#(^1) is either 
derivable or contained in E2, then every derivation has an equivalent canonical one, 
which is not necessarily unique. 

Canonical derivation sequences can be used to check the equivalence of modular 
systems. There are several ways of defining equivalence between modular systems, 
among which: 

- 5lefut«;t52 if the flattened versions obtained by ^plying as operations the in¬ 
terconnections have isomorphic interfaces 

- Slequiv 2 S 2 if, in addition, the cmresponding semantical functors are naturally 

isomorphic 

- Slequiv 3 S 2 if the flattened versions are iscnnorphic 

Having the possibility of defining a unique canonical equivalent structuring of a 
system allows the testing for the equivalence of two arbitrary systems by comparing 
their canonical forms. By using equivt as our notion of equivalence and by limiting 
the systems to using oidy disjcfint union, actualisation and identity composition and 
the most restrictive form of specification morphisms (called SPEC3 in [7]) we have 

Theorem 2. Everf modular afstem Mae a satfse eumomical equivalent one 









We expect to be able to extend this result to equivalence acctxding to equivz 

and to systeins built using general crunposition. 
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Abstract 

Concurrent languages can be broadly categorized into: 

1. Aaynchronoua: A program is a set of loosely coupled independent execution 
units or processes, ea^ process evolving at its own pace. Interprocess com¬ 
munication is done by mechanisms such as message passing. Communication 
as a whole is aaynehronotLS in the sense that an arbitrary amount of time can 
pass between the desire of communication and its actual completion. This class 
includes languages such as Ada, Occam, CSP etc. 

2. Synchronous: Here, programs are thought of as reacting iiutantaneously to 
its inputs by producing the required outputs. Statements evolve in a tightly 
coupled input-driven way and coimnunication is done by instantaneously broad¬ 
casting, the receiver receiving a message exactly at the time it is sent. Languages 
such as Esterel [BeGo 92], Lustre, Signal, Statecharts belong to this category. 

Recently, we have proposed [BeRaSh 93] a new programming paradigm called Com¬ 
municating Reactive Processes (CRP) [BeRaSh 93] that unifies the capabilities of 
asynchronous and synchronous concurrent pn^amming languages with a view to 
specify complex reactive systems which usually have both syndironous and asyn¬ 
chronous features. A CRP consists of a network of Elsterel programs where each 
node can be considered to be reactively driving a part of a complex network that 
is handled globally by the network. The central idea of establishing asynchronous 
communication between nodes lies in extending the asynchronous interaction into a 
communication primitive. The usual send and receive asynchronous operations are 
represented by particular tasics that handle the conununication. A spectrum of mes¬ 
sage passing types such as non-blocking send for full asynchrony, or CSP-like send 
and receive primitives etc. are possible^ through CRP. 

In this paper, we show that 

e CRP can model asynchronous systems operating in dense real-time domaiiu, 
and 

^In the full p^wr, we will discuss the above clissiflcation in the context of cot^eratioa- 
synchionism and conmnnication-synchranism and the exp re s s i vity of CRP with reference to such a 
classification. 
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• CRP c&n model "contiouous” computations and thus, provides a convenient 
formalism for specifying hybrid systems. 

A broad structure of the paper is given in the following. 

1 Hybrid Systems 

Hybrid systems are systems that combine discrete and continuous computations. To 
represent continuous computations, hybrid system model contains activities that mod¬ 
ify their variables continuously over intervals of positive duration, in addition to the 
familiar transitions that change the values of variables instantaneously, representing 
the discrete components. It should be obvious that many systems that interact with 
a physical environment such as a digital module controlling a process or a manu¬ 
facturing plant, a digital-analog guidance of transport systems, a control of a robot 
etc., can benefit &om the more detailed modeling proposed by the comprehensive 
framework of the hybrid model. Various abstract models for systems for handling 
real-time and "continuous” computations have been proposed recently in [KePn92, 
MaPn92, NSY92]. There have been several definitions of hybrid systems. One of 
the definitions corresponds to specifying behaviour' sequences explicitly denoting the 
absence/prt-sence of signals at the timed transitions. Our notion of hybrid systems 
corresponds to the one defined in [KePn92] based on hybrid tracts. In this paper, we 
adapt the CRP [BeRaSh 93] formalism for the specification of hybrid systems and 
show that it provides a convenient vehicle for specifying hybrid systems. In addition 
to the implementation of CRP on top of Esterel, the tools and environment of Esterel 
can be effectively used for the development and verification of CRP programs. 

2 Behavioural Specification of Clocked CRP Pro¬ 
grams 

We start with the addition of the tick signal in the behaviour specification of pro¬ 
grams as in the case of semantics for the hardware implementation of Esterel [Be 92]. 
Due to the limited space, we will highlight informally the msun features. A brief look 
at the execution history of a CRP program provides some understanding of the main 
aspects of CRP and hybrid computations. 

A history (Esterel or CRP node) is a sequence of events Ej, E 2 , • • •, E», ■ • •; for 
convenience, we denote E,- by where and O,- denote the input and the output 
events in the ith instant respectively. In a clochtd CEP program every instant consists 
of the input signal tick. 

A history is said to be CRP valid if it satisfies the following properties: 

1. The history satisfies all the declared exclusion relations. 

2. Vi, tick € 

Every input instant contains the special signal tick. 

• When programming digital circuits it will naturally denote clock ticks 
(which corresponds to integer domain of time). 
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• For dense-domains for time, 


• 

- we consider the signal tick with values. For instance, the signal 
tick(v) in In could indicate an elapse of v € units of time from 
the last occurrence of tick. 

• 

- further, the sequence of tick’s with values forms a progressive se¬ 
quence; that is, it does not form a Zeno sequence. 


3. Asynchronous signals satisfy: 

• 


a An event is received only after requested. 



a The start- and receive- of an asynchronous request caxmot happen in the 
same instant. 

• 


4- Vt, |Ji| -f |0,'| < 00 . That is, it satisfies the property of finite variability, 
namely, the state changes only finitely often throughout any finite interval of 
time. That is, between any two consecutive input instants containing tick 
there can be only a finite sequence of events. 

A 


We adapt the clocked CRP behavioral specification for hybrid system specifica¬ 
tion and establish that CRP provides a convenient description for hybrid systems 
permitting the use of verification tools for Esterel/CRP by: 



1. Restricting the behaviour specification for progressive systems, i.e., systems that 
do not admit Zeno sequences. 

• 

• 

2. Relating the asynchronous signals with a finite set of continuous activities. 



3. Relating the behaviour specification of clocked CRP to the two broad types of 
computations based on hybrid traces (cf. [MaPn 92}): 

• 


(a) Sampling computations having the signature AT i-f £ x R'*' where each 
natural number, j, is mapped to a pair consisting of a state Sj and a real¬ 
time stamp tj. 



(b) Super-dense computations’ having the signature R*' x N that is, it 

maps each pur <t,i>, where f € R'*' and t € iV, to a state s € S and the 
step numbers correspond to the transitions that axe taken at time instant 
t. 

• 


4. Relating causally correct clocked CRP programs to timed graphs and finitely 
satisfiable TCTJD formulas. 

• 


3 Illustrative Examples 



We illustrate specification of hybrid systems through clocked CRP by the following 
examples: 

• 



’The edvantegee/disadventagee of auper-denee computation aemantics and umpling computation 


•emantica wiU be diacuaeed in the full paper. 
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1. We describe the Cat and Mouse problem (cf. [MaPn 92]) and show, how the 
CRP formalism provides a convenient description including the priority for the 
Mouse (or the cat) when they reach the target/destination simultaneously. 

2. Next, we consider the specification of a controller for controlling the flight path 
of a communication satellite. Due to various uncertainties at the various stages 
(due to energy and other motor characteristics) of the launch, it is not possible 
to pre-prograa the flight-path of the rocket so as to result in the desired end- 
conditions within the specified tolerances. Thus, there is a need to determine 
the flight path from instant to instant to keep the flight path within the specified 
tolerance limits. Hence, the control needs to be asynchronous (where events can 
happen arbitrarily close to each other). We show that clocked CRP provides a 
convenient formalism for specifying such hybrid systems. 

The paper concludes with a discussion of the relative comparison of the formalisms 
for hybrid specifications such as variants of Statecharts and other formalisms, and also 
the use of Esterel tools in the development of CRP programs. 
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1 Introduction 

Real-time systems are characterized by their umbilical connection to the environment [Wirt 77]. 
They are most often modeled as event driven systems where the occurrence of events dictates a 
timed response by the system [Dasa85, JaiI9l]. Such a behavior is naturally described by a state 
transition diagraun [Best91]. The goal of this paper is to initiate the development of an algebraic 
methoddogy for real-time program development that is convenient for the programmer and allows 
easy proof of the correctness of real-time programs. This methodology is algebraic in nature in the 
sense that program development is closer to the development of algebraic computations rather than 
to the development of programs using conventional languages. Following this methoddogy a real¬ 
time program is developed in two steps: first the behavior of a real-time system is specified using a 
real-time system specification language and then, this behavior is automatically transformed into a 
semantic driven automaton [Rus91, Knaa92] that implements the real-time program. Consequently, 
no programming activity in the usual sense is invdved. A similar approach for real-time program 
devdopment is described in [Nico92]. The difference is that our real-time system specification 
language is a regular language on the alphabet of conditional-actions similar to guarded-commands 
[Dijk75] while in [Nico92] a language of timed processes [Nico91] is used. In addition, the abstract 
time used to model the time is different in the two approaches. 

2 Real-Time S3rstem Specification by Regular Expressions 

We consider that any specification language must be provided with a capability for abstraction 
manipulation that consists of: a mechanism for type definition, a mechanism for object declaration, 
and a mechanism for application specification. We propose a language capable of specifying the 
behavior of a real-time application where each specification contains two sections: a declaration 
section which spedfies the types and variables of those types that will be used, and a behavior 
specification section which specifies the application in terms of the declared variables, as seen 
below. The declaration section specifies the state of the system seen as the interpretation of the 
ccdlection of names used in the real-time system, <7 : Names —* Values. Let S be the collection of 
states of a ^ven real time system. The behavior of the syston is stepwise specified in terms of two 
weil-understood constructions: 

• State transitions, r : S -* D, expressed by named conditional actions of the form r : 
{Condition -* Action) interpreted as 'Svhen Condition hcdds the Action is performed”. 

• Composition of state transitions using regular operators. That is, if a and 6 are state tran¬ 
sitions then (1) the concatenation of a and 6 denoted a h, (2) the choice of a or 5 denoted 
a|h, and (3) the repetition of a state transition a known as Kleene star and denoted by a* are 
state transitions. 
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2.1 Declaration Section 

The real-time system spediicatioa language discussed here allows one to express the behavior of 
the real-time system as a continuous interaction between the system and its environment. During 
this interaction the system receives data from the environment that determines the system state 
transitions; during the state transition the system may receive or send data in the environment 
affecting it as well as change the state. This behavior is accomplished by considering the environ¬ 
ment as a collection of typed communicaticm channels. The basic tjrped channels are abstract and 
predefined and are represented by the usual types boolean, integer, character, string, etc., 
whereas the channels specific to the real-time applications are defined in the application and their 
objects are constructed in terms of the basic type objects. For each channel a and variable x of 
type a the following operations may be defined: send(x,a) that sends the value of z on the channel 
o, recetve(z,a) that assigns to z the current value on the channel a, and set{x,t) that sets the 
value of the variable z to a value t of type a, denoted by z := (. The constructed types specific to 
real-time applications considered here are: 

Time: In this paper time is an algebraic structure T = (T,0,-b,<) as in [Nico92] where 

1. {r,0, -f-) is a commutative monoid such that Vti,t} € T [ti + = ti] implies t] = 0- 

2. < is a total order on T such that Vti, tj € T [li < tj] = 3t3 e T [tj + ts = tj]. 

Practically, time is implemented by a channel on which time is continuously ticking. That is, at 
any instance a receive operation on this channel returns an object of type time that represents the 
real-time dapsed from the starting of the application until the moment when the receive operation 
has been executed. Note that seTuf(z,time) is not defined. If z is of type Time where Time is a 
channel of type time then set(x,t) assign the value t of type time to z and z := receive{Time) 
sets z to the value t -4- ^ where 6 is the real time elapsed dnce the last set of z to the time t. The 
functioning model of a real-time system in this paper is considered as taking place in real time 
and independently of the time. That is, while state trandtions of the real-time system take place 
as described by the equations specifying the system, the time continuously ticks independently. 
The time becomes viable only when a variable z of type Time is checked by an z :=s gei{Tim€) 
operation. 

Text: An object of type text is a string. 

Ansdog: This t3rpe describes analog devices that are controlled by the real-time system, or that 
are used to sense the real world. A get operation on an analog channel returns an analog value that 
represents the current measured quantity as sensed by the device, such as temperature, density, 
speed, etc. A send operation on an analog channel may activate a device such as a stepping motor 
or audible tone generator. 

Digital: This type describes distal devices used to sense the environment, or to be contrdled 
by the environment. A distal input channel may be a switch whose status can be read and that is 
operated by a human, and a digital output channd may be a control which starts a fan, turns on 
a heating element, etc. 

The variable in terms of which system behavior is specified are of the types of channels defining 
the system. The variable declarations in a real-time system are analogous to variable specifications 
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in a conventional language, i.e. variables are defined over several types (some of them unique to 
real-time systems). Since all these types are predefined, we need merely to declare a variable of 
one of these types by specifying a name representing an instantiation of the type. 

2.2 Behavior Specification Section 

The behavior of the real-time application is represented by a system of conditional equations 
[Knaa92, Rus92] specifying a semantic driven automaton, denoted by SDA. Since the primary 
behavior of an SDA depends cm the content of the data it receives from its environment, the SDA 
must check conditions on these data in ordo to know when to move from one state of the real-time 
application machine to the next and also what actions to perform as it changes state. That is, a 
state transition is a description of the conditions that allow a move from one state to another. The 
description cmisists of a test of the real-world conditions in the application's environment, and of 
the actions to perform while changing state. 

A condition is a predicate which tests properties of a message from a channel. For example, let 
Temperature be a channel and Temp be a variable of type Temperature. Then if the SDA must per¬ 
form some action if the temperature exceeds 350 degrees, it must perform Test = get(Temperature) 
and then if Temp > 350 the SDA will change state performing some spedhed action, such as shut¬ 
ting off a heating dement, as it does so. Conditional expressions [Knaa92] consist of either single 
conditions or conditions connected by lo^cal operators and, or and not. Thus, information from 
multiple channels can be tested in the same conditional expression. 

The primitive actions performed by an SDA are: 

1. send data z to the channel a, send{x,a). 

2. receive data z from a channel a, z := reeeive(a). 

3. Do nothing, denoted by idle. This action never terminates. The only way to get out of it is 
through a preempt operation [Kest92]. 

4. Skip action denoted by skip. This action does nothing imd terminates in a single execution. 

5. Wait for a condition C to be satisfied denoted by waii(C). This action terminates only when 
C becomes true. 

6. Assig nment action denoted by z := £ where z is a variable, £ is an expression (possibly 
including a function call) and the type of z is the same as the type of £. 

A transition has two parts: 

1. A conditional expression which is a predicate over the language of conditions on variables of 
the types defining the real-time system. An empty conditicm is interpreted as always true. 

2. A list of actions to perform when the condition is satisfied. This can be a (possibly empty) 
list of send, receive, and asugnment statements which can modify the value of variables. 
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A truuition in this language has the fonn id : (condition -> aetionlist) where id is a transition 
name, condition is a conditional expression as defined above, and aetionlist is a list of acticms which 
actually control the channels making up the real-time system. In this manner each transition defined 
is represented by a name. The collection of transition names used in a real-time specification is 
called the alphabet of transitions. 

The specification of a real-time system consists of a set of conditional equations over the alphabet 
of transitions. The equations are of the form id — regular expression where id is either a transition 
name, one of the names “Start”, “Stop”, or “Error”, denoting the start state, terminate state, and 
calling an error manager, respectivdy, or the left-hand side of a previously defined equation. The 
regtdar expression utilizes the usual regular operations of concatenation, choice and Kleene star 
over the set of transition names to specify a finite-state machine. 

A complete example follows. It is provided by the set of equations that specifies the behavior 
of an oven [Com92]. The environment is specified by the following table: 


Channels 

Type 

Names 

Values 

Time 

time 

Timer, Update 

Integers denoting seconds 

Temperature 

analog 

Temp 

Integers denoting centigrades 

Commands 

digital 

Cmd, Heat, Cool 

Integers denoting booleans 

Predefined 

integer 

Hyst, SetP, 

Integer numbers 

Text 

Message 

Ml, M2 

Text of messages 


The transition equations describing the oven behavior are: 


Ti 

T, 

Ts 

T4 

n 

r« 

Tt 

T, 

T, 

Tio 

Til 

Start 


(-♦ Heat := 0; Timer := Q;Hyst := l;SetP := lOO;Update 1) 

(Timer — 0 and Cmd = 1 -► skip) 

(Temp < SetP - Hyst -* send(MUText); Heat := I'.Coof := 0) 

(Heat = 1 -* Cool :* 0; Timer := Update; Heat := 1;M1 := reeeive(Text)) 

(Heat = 0 -» Cool ;=: 0; Heat := l;send(M2,Text)) 

(Temp> SetP + Hyst -* Cool := \;Heat:^ Q;send(Ml,Text);Timer := Update) 
(Cool = 1 -* Cool := Q;Heat := 0;Timer := Update;Ml := receive(Text)) 

(Cool = 0 —► Cool := l;Heat := 0;send(M2,Text)) 

(Timer = 0 ond Cmd = 0 —► Heat := 0;Cool := 0;rimer := 0;5end(Afl,Tcif)) 
(T,(T.(T,|Ts))|(T,(T,|T.))) 

(Ts(TrT,)|(Ts(T7|T,))) 

(Ti(T,(Tio|Tu1T,))|(T,(T,|T,)))* 










3 Expressive Power of Semantic-Driven Automata 

A semantic driven automaton is controlled by the properties of the tokens it recognizes instead 
of being contndled by their syntax. The semantic driven automaton that recognizes tranation 
equations specifying the real-time system is described by a two-levd transition table [Knaa92] and 












is equivalent to the program contrdling the real-time application. Since time is a type of a real-time 
system, variables of type time can be defined and initialized in the systems specification part. These 
variables can be set, their values can be tested and used in various conditions defining the transitions 
of the real-time application. Therefore, a semantic driven automaton that uses time-conditions in 
its transitions is a timed-automaton [Nico92]. However, any kind of real-time device and condition 
can be easily integrated in the real-time specification language defined in this paper. Therefore, 
the semantic driven automata provide a unifying mechanism for real-time program synthesis from 
spedficatica. 

In order to show the expressive power of semantic driven automata we will sketch here the proof 
that if a computation can be expressed using a conventional language then that computation can 
be expressed by conditional equations specifying a semantic driven automaton. For that we will 
consider the statement as the unit of computation specified by conventional languages and will show 
that any construct expressing ctmtrol-flow on statements can be expressed by regular expressions 
using conditional expressions. 

Let Si and 5] be statement labds and £ be a bocdean expressirm. Then we have: 

1. The concatmation of St; 5j is a regular expression Si Sj. 

2. The branching statement if E thcnSi clacSi can be expressed by the regular expressim 

5':<£-5i),5«:{^£^5,),5 = 5'5". 

3. The while loop while E do Si can be expressed by the regular expression S : {E -* Si), 
S' = S\ 

We used here only regular operators to express conditional equations due to their wdl un¬ 
derstood semantics and well-known methodcdogy of m^>ping regular expressions into programs. 
However, the approach we use to implement semantic driven automata allows ns to use other op¬ 
erators than the regular ones and therefcve we can easily generalize introducing equations of the 
form 5 = 5 i|| 52 where || denotes the paralld composition of Si and Sj thus obtaining a mechanism 
for parallel program synthesis from specifications. 

The major advantages of this methodtfiogy for program synthesis from spedfications are: 

1. It allows stepwise program devdopment in terms of ample actions, well-understood by pro¬ 
grammers, and thmr automatic composition through the mechanism of transforming regular 
expressions in programs. 

2. It allows formal proof of the program correctness by first proving the correctness of the 
simple actions making up the program and by automatically preserving this correctness by 
the translator mapping regular expressions in programs. 

3. The automatic moping of r^^nlar expressi<ms in efficient programs is feasible and wdl- 
understood. 

4. It unifies the methodology of program synthesis from specification, and opai new field of 
research. 
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Extended Abstract 


1 Introduction 

It is widely recognized that a completely rigourouz treatment of the correctness of designs of 
realistic information-processing systems is beyond the scope of the formal methods currently 
at our disposal. While for some aspects of this predicament improvements can be expected 
through the development and use of more powerful formalisms, theories, and supporting soft¬ 
ware tools, there are structural problems related to managing the combinatorial complexity 
of correctness proofs for large systems. The investment done to prove correctness should also 
be measured against the remaining possibility that errors are introduced in the ultimate re¬ 
alization phase of the design, where formal methods may no longer be applicable (e.g. silicon 
compilation). As a result in practice mostly methods that deal with approximate correctness 
criteria are used, such as testing and the vc^cation of particular properties. This should also 
be seen against the background that complete correctness of si^stems in not required in most 
cases: in reality one tries to m ak e the occurrence of important errors sufficiently unlikely. 

In recent years there has been also a growing theoretical interest in the question of partial 
validation, which has led to much new work on topics like model cheeking and teeting theory, 
e.g. [9,5,3, 2]. This has given rise to new algorithms for the validation of given properties and 
for the generation of tests, whereas the related question concerning the coverage of partial 
validation methods, i.e. how mudi the validation of a particular property contributes to the 
overall correctness the design, has received considerably less attention. Such measures are 
needed to guide the selection of properties that should be validated, and can be used to 
quantify the quality of a validation procedure, and, indirectly, of the implementations that 
succeed in passing them. Unfortimateiy, it is not straightforward how to obtain such measures. 

In the literature it has been proposed to use the probability of the occurrence of an error as 
a guiding principle for partial validations, viz. by ignoring improbable errors (see e.g. [7]). 
This would seem to suggest that the coverage of sudi a partial validation method could be 
calculated as a sum oi the probabilities of independent errors that are exposed by the method. 
This approadi has the drawback that often it mi^ be the absence of less frequent errors that 
determines the quality of a design. Moreover, the appreciation of the role of a particular error 
may depend more on the application of a system than on its specified abstract functionality. 
The occurrence of the same software bug in a computer game and in the operating system 



of a nuclear plant could be of a radically different importance, and this should preferably be 
reflected in a coverage measure. 

In an earlier paper we have therefore proposed that coverage should be based on so-called 
vahtationa that assign weights to error classes corresponding to their gravity [4]. Probability 
distributions over error classes being special instances of valuations, this yielded a generaliza¬ 
tion of the probability induced notion of coverage. This approach has the drawback, however, 
that it was not clear how, in view of their subjective nature, such valuations could be obtained 
or i^iproximated for given applications. For the probability induced notion of coverage there 
exists at least the wealth of statistical methodology to estimate the distributions involved. 

In the full version of this paper we refine our idea of valuations. Measurements of the probabil¬ 
ity of error occiirrences in implementations can be used to improve our estimates of valuations, 
while still maintaining a possibility to accoimt for the difference between the probability and 
the gravity of an error. We follow a measure-theoretic approach in which an exogenous coat 
function (quantifying the effect of certain properties in an implementation) is integrated over 
a measure that is induced by the probability of error occurrences. In this way, in fact, we do 
not only obtidn a notion of coverage, but a general way of assigning measures to specification 
theories in the context of a given class of implementation structures. 

2 Main formalizations 

The correctness of an implementation / with respect to a specification 5 is usually formalized 
by means of an implementation or refinement relation R such that / is a correct implemen¬ 
tation of S iff {I, S) € R. We will in fact assume that this relation R can be formalized in 
terms of the satisfaction of a logical theory, viz. R = | ITh{S)}, where Th[S) is 

the theory in some logical language C specified by 5 and ^ denotes a satisfaction relation. 
Many implementation relations can in fact be characterized in this way, including those using 
constructive specification formalisms (see e.g. [8]). 

As indicated above we view the design process as a stochastic experiment that produces an 
implementation I on the basis of a given specification 5. In order to model this correctly 
we need to define a Borel space in which I takes its value (see e.g. [1]). Let X be the set of 
all potential implementations of 5, and the set of formulae in L then we are particularly 
interested in the sets 

V# {/ € 11 / N for ♦ C (1) 

We say that J has the Borel property w.r.t. £ iff V {V* | ♦ C *£} is a Borel set for I, 
i.e. (t) 0 e V, and (it) V is closed under arbitrary unions and complementation (w.r.t. J). 
Requirement (i) is easily fulfilled, viz. if £ is sufficiently rich to allow for inconaiatent theories 
4, as that implies V* = 0. The closure property w.r.t. complementation is more involved as 
for each # C $£ there need not exist a C ♦£ such that V#<s=P* = {/ ^}. As 

the latter set could be characterized by the disjunction over the negations of all ^ one 
solution would be to work with languages that have either explicit generalized disjunctions, 
such as e.g. £„,„ [6], or implicit ones, e.g. in the form of fixpoint constructions [8]. Another 
option is to restrict the class of implementations J. In practice, for example, one can often 
restrict the attention to a finite set I where each / € J is completely characterized by a finite 
theory 4/ C 4^^. In that case ordinary negation and disjunction suffice to warrant the closure 





properties. 

Assuming that J has the Borel property w.r.t. C. we can now introduce for each - cification 
5 a measure Ps over J, viz. by putting 

PsiV4) = 4 , Pr{l€V^} (2) 

i.e. assigning the probability that the implementation satisfies 4. 

As we have observed above we wish to modify this measrire by also taking into account the cost 
of errors. We assume therefore there exists a function k : 'P{^c) R'>o that determines the 
cost k{Vj of satisfying the properties of 4. This function has to satisfy the intuitive property 
that cost increases with lo^cal strength, i.e. 4 4* implies that ib(4) > ib(9), where $ 4’ 

means that for all / € 7 |= 4 implies / ^ 9. If we put Th{I) {^ € | / then 

we can overload k to include a function of type J —» R>o by putting k{I) k{ Th{I)). It 
can be shown quite easily that this function is integrable w.r.t. each measure Ps- This result 
allows us to define the valuation measure on V as the measure-theoretic integral 

/i 5 (V) j^k{I)dPs foraUV€V (3) 

Note that in order to calculate /is(V) we integrate the cost of its complement V. This can be 
understood by realizing that once we have established, by (partial) validation, that / |s 4, or 
equivalently that / € it follows that / ^ so that the cost related to implementations 
in Vi has been avoided. This seems a natural way to measure the value of having established 
4. Another way of looking at it is that ns i°ust increase with logical strength, as k does: if 
4 ^ then 4 contains more information than 4', and should consequently have a higher 

valuation. This follows as 4 ¥ implies V* Q V« implies Vi QVi impUes fis{Vo) < fis{Vi). 

Because of the non-continuous nature of I the integral in (3) will in practice be evaluated 
as a, possibly infinite, summation. Nevertheless, equation (3) gives us the most compact 
representation of the definition of the measure in full generality. 

Having established the measure ns for given specifications S it is now straightforward to 
produce the definition of the coverage of a partial validation w.r.t. 5 as a normalization of 
(Ms- Let 4 C Th{S) then a procedure for establishing that / 4 has a coverage a, with 

0 < a < 1 , iff 

Ps(V*) > a.(is{VTh{s)) W 

We also say that an implementation / is a-correct, or, alternatively, has an margin of error 
of 1 — a, iff there exists a 4 C Th{S) with I € Vi for which equation (4) holds. Note that 
l-correctnes 8 does not necessarily coincide with total correctness in the classical sense, as 
errors with measure 0 are ignored if the measure that is used admits their existence. 

It should be noted that the above definition of coverage applies even in the pathological case 
where (MsiVn^s)) = 0 , by (4) trivially yielding coverage 1 for any 4. In the normal case, 
i.e. when /is(VTk(S)) # 0 i the normalisation can be ^piied directly to the definition of the 
measure itself by putting 

f^s{V) =< Ps{V)/fMs{Vrh(S)) ( 5 ) 

In this way ^5 has become insensitive to the absolute value of applications of the cost func¬ 
tion k, taking only its proportional variation into account. Inequality (4) then simplifies to 
Ps{V*) > o. 
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In the full paper we give an elaborated example of the application of our theory, which is an 
extension of the probabilistic example in {4]. Of course, an important point in the application 
of this theory is how to obtain reliable estimates of Pr{l € V«}. The solution here probably 
lies in measuring error distributions that result from the application of individual design steps 
that are applied sufficiently often to obtain statistical significance, as opposed to complete 
design procedures for entire systems, which are often specific for the particular system that 
is designed. By calculating the CAunulative effect of the applied design steps still a reasonable 
error distribution estimate could be obtained. Not surprisingly reliable coverage measures are 
thus tied to the application of well-understood design methods. Of course, the theory can 
be used also to give coverage assessments under the hypothesis of given error distributions. 
By making such assumptions explicit more precision is given to the coverage claims that are 
made. 
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1 Introduction 

Protocol projection k an officiant approach Hot the 
analyais of communication protocola. It conaiata of 
deriving from an initial automaton the minimal one, 
while preaerving apecific equivalence lelationa. Ac¬ 
cording to the OSI model, the baaic architecture 
conaiata of two protocol entitien communicating via 
an underlying aervice. The global aervice, the pro¬ 
tocol providea, correaponda to the behaviour aa ob- 
aerved from both Ser^ce Acceaa Pointa only. Uaing 
LOTOS notationa, thia aervice can be deacribed by 
the following expreaaion where 5A/% are the aer¬ 
vice acceaa pointa, and T. deaignatea the interaction 
point that aynchroniaea entity t and the communi¬ 
cation medium: 

serpteelSAPi,SAPiJ = hide Ti, Tj in 
((entiry[SAPi, Tx] ||| efrf«y(SAft. T,]) 
l(ri,r,i|medium(ri,r,]) 

Compiling auch expreaaion producea a Labeled 
'Hanaition Syatem (LTS) which deacribea the aer¬ 
vice. Thia LTS ia generally ao complex that it ia 
very difficult for the deaigner to decide whether thia 
aervice ia the expected one for the apedfied proto¬ 
col. 

Vniiying a protoetd qieciiication can be carried out 
by uaing an equivalence relation. The apedlication 
ia correct when the provided aervice ia equivalent 
to the expected one. Tliia equivalence-baaed ver¬ 
ification approach ia well known (aee for example 

m 

In practice, it ia not alwaya poaaible to have a ref¬ 
erence model (the ao-called expected aervice). Thia 
ia due to the difficulty to deacribe thia aervice in a 
monolithic atyle where compoaition <q>erator ia not 
uaed. Projection ia then a convenient alternative to 
protoed verification. It conaiata of fumkhing a re¬ 
duced model of the protoed aervice while preaerving 
aome propertka: tlw more Uie propertiea ate atrong 
the mote the reduced model k oomidex. 

Such a reduced model can be obtained uaing equiv¬ 
alence induced by the weak bkimulation (the obaer- 


vat i onal equivalence) (fi, 8]. Projection of LTS ac¬ 
cording to thk equivalace producea a minimal LTS 
ia the aenae that it eontaina no bkimilar diatinct 
atatea. The aiae of the ao-reduced ayatem can be 
auch that it k atill not poaaible to analyae it. Cur¬ 
rently, thk problem k aolved by aubatituting trace 
equivalence (known ako aa lan^age equivalence in 
the auto m a t a theory) for obaervational equivalence. 
The projection aupplka a detmninktic LTS (with 
only obaervable eveata) which k minimianH w.r.t. 
the bkimulatkui equivalence (aee Fig. 1). Unfisrtu- 
natdy, the aiae reduction k accompanied by a loaa 
of preaerved propertiea: the only preaerved proper¬ 
tiea are thoae conenning evmt ordering. That k the 
reduced ayatem accepta the aame atringa (aequencee 
of eventa) aa the initial ayatem. 

We propoae here a tradeoff between the complex¬ 
ity of the reduced qratem and the propertiea thk 
ayatem preaervea. We propone to define a new pro¬ 
jection relying on another equivalence. Thk equiv* 
alence k known aa teating equivalence ( Is ) in 
Brinkama’a teating theory for LOTOS [1] and k 
a aimplification of Hoare’a failure equivalenee uaed 
for eSP [Sj. Thk equivalence k km dkeriminat- 
ing than obaervational equivalence but more dk- 
criminating than trace equivalence. It preaervea the 
tracea and the failurea of a ayatem, that k proper¬ 
tiea dealing with the poaaibiUtien of deadlock with 
the ayatem environment. 



Figure 1: Three, ekaervatieaa/ and tcafinf ftojee- 
tiena. The eloaed LTS u akteiaed ky emutdenay 

^ _T*eT* 

Unlike d equivalencea it k incoc^ 

net to minimke Uie ayatem by identifying teating 
equivalent atatea. Thk k alwaya the caae few non- 







bkimulation-bMed «quivaienc«a. We propoee here 
to wive thia difficulty for the teating equivalence. 
For thia purpoae a tranafonnation (dengnated aa 
aarmal firm for teating equivalence) of LTS ia de- 
ftaad. Thia tranaformation aimplifiea an LTS and 
preaervea the teating equivalence. Tliia tranafwma- 
tion ia defined uaing recuraive algebraic defiaitiona. 
Thia makea it aupport rigoroua and aimple proo& of 
correctneaa. 

Thia paper ia compoaed of thia introduction and 
four oth« aectiona. The next aection tecalla atan- 
dard definitiona related to LTSa and teating equiv¬ 
alence. The teating projection ia then introduced. 
Bdbre concluaiona, «e compare the three projec- 
tiona on a email aimple example. 


2 Basic definitions 

Labeled IVanaition Syatema (ahortly LTS) are the 
baaic atructure commonly uaed to repreaent dy¬ 
namic behavior of communicating ayatema. 

A Labeled IVanaition Syatem can be vieued aa a 
aet of proceaaea (5) executing actiona in £. The 
behavior of a proceaa a € 5 ia apecified by the aet of 
actiona it can perform. The behavior following an 
action ia apecified by the aet of tranaitiona A. 

A finite Labeled TVanaition Syatem (LTS) ia a 
quadruple: S = (5, E, A, ao) where: 

• 5 ia a finite aet of atatea, and ao, ao € S, ia the 
initial atate of S. 

• £ ia a finite aet of viaible actiona, or labela 

• A C 5 X (EU {r}) X 5 : the tranaitiona aet, r ^ E 
is called internal or invisible ction. An element 
(z, p, y) e A is denoted: z y 

Another transition relation, {^}^esu{c) defined 
in a standard way by: 

• tf a = a'ora-^ai-^-^a,,-^a': this 

means that internal moves of a system cannot be 
distinguished. 

• a ^ s' : a ^ Si S] ^ s': this means that 
observable moves are not distinguished by internal 
moves that encapsulate them. 

The output of a state a denotes the aet of visible 
actiona that can be performed by the watem at the 
state a. Formally o«t(a) = {a € E | a ^}. 

This relation is exten«M to sequences (i.e. words 
or strings over E: 6 E*) by: 

•if n is the sequence m ■ • -Om write a ^ s' when 

The empty sequence is denoted a. Aa in the caae of a 
atateoutput, “traces of a state” refer to the aet of all 
sequences of (viaible) actions, n € E*, that can be 
performed firom this state: Tr(a) s (n e £* | a ^}. 
By convention, the traces of LTS are thoee of its 
initial state: Tr{S) s Tr^so). 


Using LTS, we recall now the formal ddinition of 
conformance introduced in the testing theory of LO¬ 
TOS (11 

Dwfliiitiaai 1 (testing equivadence [1]) Two 
LTSt Pi = (5i,E,A<,Pi) i = 1,2 are said to ke 
teatisf tqmioilfi fasted Pi is Pi) when 

(1) Tr(Pi)wTr(Pi) 

(2) Ve € E*,VA C E 

3Pi',Pi ^ P,' and Va € A-<3P,",Pi' ^ Pi") iif 
3Pi', Pi Pi' and Va € A-.(3P,", P,' ^ P,") 

□ 


3 The testing projection 

The testing projection of LTS 5 is an a»-minimised 
normal form of this system: (n/(5))a, where as ia 
the biaimulation equivalence. 

The resulting system verifies the following expected 
properties: 

• A projection at an LTS is testing equivalent to 
thk LTS: (nf(S))m iS S 

• Two testing-equivalent LTSa have the same 
projection. In other words testing equivalence 
ia an isomorphism over the subset of LTSs 
which are su-minimal normal foriiis. 

Definition 2 (LTSs in normal form) An LTS, 
S = (5,L, A,So), <• said to ie ia mormol form for 
the testiny-efsivaleace if 

(i) its initial state ao verifies the foUowin§ efustton; 

•=(53 13 «:/•(•)) n 53 

xeiq.) 

(PI) 

Where R{s) is a faoa-empty^ set of snhsets 
of out(s) which verifies the foUowin§ miaimafily 
fw.r.t. eardinalitf) property: 

'iX, y € ii(a) : (y c X) ^ (X = y). (P2) 


(ii) The states, /.(a) et /»(a), specified ia e«aa- 
tioa PI verifp also (i) et (ii). □ 


The Lotos operators and *[]” designate re¬ 
spectively action prefix and choice. The Lotos 
expression -.n) denotes the expreaoion 

^>[]^[] ‘ ’' Semantic of these operators is de¬ 

fined by the following rules: 


Va€EUH (i) , i - 

a;P-* P 


(ii) 


k€l,Ps^Pl 


The following proposition shows that teating equiv- 
alenee and obaorvational equivalence (i.e. weak 
biaimulation equivalence) are identical over LTSs in 
normal form. 






m 
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Prapositioii i If Sf et Si •re in norm*! form 
(ief. g) then {Si te Si) (5i w *) ■ 

DcAnitioD 4 (ItefuMd Graph) A rtfiutl fropk, 
denoted RG, is • Mnieled gtnpk represented ip e 
S-imple {G, C, A, go, Rsf) nikete: 

• {G, £, A, fo) M • deterministic ITS. That is wkiek 
verifies: Vy € G, Va € E; 3 «< ike most one g' eG 
snek tkoi {g,a,g^) € A. Tkis sneeessor eon tken he 
noted ft{g) wkiek menns tkot tke set of InMitioM 
u deserited using • fumilp of functions {/« : G —♦ 
G}«€E- 

• Ref : G —► 7>(7>(E)) is «« uppHeaiion udiick 
defines for enek state, tke sets of actions that map 
ie re/used after tke sequence leading to tkis state. □ 

To avoid redundancy, refusal sets must be minimal 
w.r.t. set inclusion; 'ig € G,XX,Y 6 Rcf{g) ; 
(y C X) =» (X = Y). 

And to avoid describing imaginary systems, the fol¬ 
lowing hypotheses is imposed on the refusal graph 
structure; VX € Ref{g), X C out{g). Only refused 
parts of the output set are considered. 

Let S be the tranntion system (5, E, A, so) and the 
two fcdlowing applications, whose domain is the set 
of subsets ViS), 

^•(^) - U ” U 

p€P peP 

where P is a subset of S, and Vs € S, tf«(s) = {s' € 
Sls:S.s'). 

DeAnition 5 ('^rg” trsauformation) 

Tke refusal graph rg(S), associated with transition 
system S = (S, E, A, So) «s defined ip ike 5-tuple 
g = (G,E,A',«e/,jo), 

•go — ^c(*o) = {r I *0 ^ ») 

• (G C P(S),E,A' C G X E X G) is <*e laieled 
graph rg(go), where for all g Q S, rg{g) is re- 
cursivelp defined ip tke following Lotos expres¬ 
sion : 

r3(s)= 51 a\rg{6,{g)) 

•€*»‘(s) 

• and for all g € G, Ref{g) = \ 

€ ») \ {X € Ref(g).3Y € IUf{g) ; 
(X C y ond X ^ y)} 

□ 

Definition 6 (“Its" transformation) From 
a refusal graph go, sa LTS lts{go) map ie derived 
according to tke following recursive definition : 

Mf)= 53 

xeiufis) •arv*ts)\x 

*4nx*iu/(f) ■* 


Note that the parameterised bisimulation of [2] can 
be used to provide a decision procedure for testing 
equivalence using bisimulation over refusal graphs. 
Bisimulation over r^usal graphs is an interesting 
question in its own right and will not be further 
explored in this paper. 

Definition 7 (“nf" transformation) Tke nor¬ 
mal form of an LTS S is tie LTS nf(S) derived 
from tke refusal graph of S, that is rg{S), ip using 
transformation Us. That is : nf(S) — lts(rg(S)). 

a 

Remark: In the case of strongly convergent (i.e. 
when no loop is created by internal transitions), the 
“nf" transformation is identical to the transformar 
tion described in [7]. 

Theorem 8 Every LTS is testing-equivalent to its 
normal form: S te nf(S). ■ 

The next proposition can be deduced from the 
proposition 3 and the theorem 8. It provides an 
alternative (to the Il-bisimulation of [2]) verifica¬ 
tion of testing equivalence allowing (w^) bisimu¬ 
lation equivalence over standard LTSs to be used. 

Proposition 9 Site So o "/("Si) w nf{Si) ■ 

Proposition 10 For everp LTS, we have: 

SmSt$. And 

SimS, iff (5i)« « {S^)m. Where « denotes tke 
isomorphism over LTSs. B 

Finally, using the fact that » is compatible with 
Is (i.e. nC i£ ) and using the standard results of 
propositionlO, we deduce from proposition 9 

Proposition 11 For everp LTS, we have: 

S is ("/W)-- 

Is * iff («/(*))• ("/(*))•• 

denotes ike isomorphism over LTSs. B 

4 Example 

Figure 2 presents an example of the three former 
projections. Observational projection does not re¬ 
duce the initial LTS. This is due to the fact that 
states S 3 and S 3 are not observationally equivsr 
lent because their behaviours are respectively of the 
form r; (P0O)0»’: ^ 
servationally equivalent. 

The system depicted by these LTSs can be viewed 
as the local service provided by a data transfer 
connection-oriented protocol which locally uses a 
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Figure 2: testing projection provides LTS leu re- 
dneed than trace projection nnd more reduced then 
observotion projection 

rendez-voua communication between a protocol en¬ 
tity (i.e., aervice provider) and its user. The trace 
projection shows that initially the system can al¬ 
locate a connection (ConReq), and then transmit 
data (DataReq) or accepts disconnection (DisReq). 
The testing projection shows that, after connection, 
data transmission is not always possible. This is due 
to the presence of an internal transition (pa pa) 
that system may execute without communicating 
with its environment compelling the latter to stop 
data transfer. Abstraction made by this projection 
consists of ignoring the origin of this internal trsu- 
sition. It can either represent a remote or a local 
disconnection decision. 

5 Conclusion 

The underlying idea of the testing-projection can 
be summarised by the following: 

• we characterise a particular family of LTS 
called LTS in norm^ form. For this family we 
prove that (weak) bisimulation equivalence is 
identical to testing equivalence. 

• we provide a transformation an LTS to a 
testing equivalent LTS which is in nc»mal form. 
This tran^ormation relies cm an abstract struc¬ 
ture (we refer to as Refusal graph [3]) that elim¬ 
inates redundancy related to information that 
does not concern trace and deadlock proper¬ 
ties. 


of the LTS. 

The minimisatinn part of the testing-projection 
can be conducted by means of strong bisimulation 
equivalence. This provides easier minimisation and 
is possible by ali^tly modifying (the definitkm 
the normal form and) the Its” transformation. 
This technique has been experimented on several 
communication protocols, namely MMS and OSI- 
TP. These experiences showed that in the first de¬ 
sign steps the so-reduced system is useful for spec¬ 
ification error detection and correction. 
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• at- minimix ation of this normal form preserves 
testing equivalence and reduce the state space 
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Equivalences of transition systems in an algebraic framework 
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In this paper we study simulation and bisimulation equivalences for transition systems 
from an algebraic point of view. For the simulation equivalence, the algebras are the free 
algebras of a monad on the category of transition systems. These algebras are however 
‘‘concrete” because they are an “algebraic completion” of a system. A more interesting 
category of algebras seems to be the one we will propose for studying bisimulation; being 
related to the category of transition systems by a Stone duality it is in some sense canonical. 
Here by canonical we mean that the algebra associated to a transition system is as close 
as possible to the structure of the system (roughly speaking it is the space of ultrafilters 
on the systems). Stone duality makes it possible to establish an equivalence between 
categories having a very different structure, for example between categories of algebras 
and categories of topolopcal spaces [5] or between categories of domains and categories of 
algebras and logics [1, 3]. The Stone duality we present in this paper relates the category 
of transition systems to a category of algebras underlying a generalised Hennessy-Milner 
logic [4], that is algebras which contain Lindembaum algebras of this logic. As a test for 
the validity of abstract reasoning (i.e. algebraic tools) about transition systems, we will 
prove the equivalence of the notions of subalgebra and bisimulation relation, that is we 
will prove that two systems are in bisimulation if and only if they have an isomorphic 
subalgebra. It will foUow then that the minimal subalgebra of the algebra of a system T 
corresponds by duality to the smallest transition system (w.r.t. number of states) which 
is in bisimulation with T. 

1 Categories of action algebras and transition systems 

A complete atomic Boolean algebra ( CBA for short) is a Boolean algebra A in which the 
g.l.b. and l.u.b. operations are defined for all subsets of A and such that there exists a 
subset At(A)CA such that A ci p(At(A)) (the power set of At(A)). 

Let CBA denote the category whose objects are complete atomic Boolean algebras 
and whose arrows are the structure preserving maps. Note that if : A-*A’ is an arrow 
in CBA , then there exists a unique set theoretical map 

: At(A')-*At(A) 

such that (under the isomorphism A ~ p(At(A))) we have (^*)"* = <l>. The map <i>' is the 
underlying map for <!>. 

Let A be a CBA and X a set; a linear action of X on A is given by a map a : X x A—> A 
(we write x.v instead of a(x,v)) such that: 

• i.O = 0, 
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• x.\JV = V,<v(a;f)- 

The category of actions of X over complete atomic boolean algebras (category denote as 
AC) has as objects pairs (A, a) (lets call such a pair an action algebra) where i4 is a CBA 
and o is a linear action of A' over A. An arrows 0 : (A.o)—^(A',o') is CBA morphisms 
between A and A' which satisfy the inequality: 

X.<b{v) < 0{x.v) 

A transition system is a pair T = (S,T) (we use the same letter T to indicate the set of 
transitions and the transition system) where S is the set of states and TCSxXxS is the 
set o' transitions whose elements we denote as s s'. A transition system map / from 
(5, T) to (S', T') is a set theoretic map / ; 5—5' such that 

s^s'eT^ f(s) i /(s') € r 

Let TS denote the category of transition systems over a set of action X. 

The categories TS and AC are related by two contravariant functors Ts : AC—TS and 
Ac : TS-^AC. 

• The functor Ts is defined as follows: 

T 8 (A,a) = (At(A),T 4 ) where Oi — 02 € Tx iff oi < x.ai 
T 8 (^) = 4>' (the underlying map before defined) 

• The functor Ac is defined in the following way: 

Ac(T) = (p(5),a) where a(i,v) = {sj € 5(382 € v such that si — 82 } 

Ac(/) = /-> 

Proposition 1 The categories TS and AC are duals (i.e. TS a AC^^) 

Indeed the duality between TS and AC is a Stone duality : Roughly speaking this 
means that there exists an action algebra ilxc ^tnd a transition system iVs such that the 
functor Ts is naturally isomorphic to the Horn enriched ‘ functor AC(-,Qxc) and that 
the functor Ac is naturally isomorphic to the Horn enriched functor TS{-,ilTs)- 
For example the transition system firs is shown in the following picture: 



That is Hts — ({0* l}i{si SjIsi,S j € {0,l},i € A}) 
The action algebra Qxc is pictured as follows: 



That is ilxc = ({0» where o is defined by x.a = 0 for a e {0,1} 


’By “enriched” we menn that the fnnctot AC(—,nxc) anodnte* to an action algebta A the set 
HOM>t£(A,n>i£) eqnipped with a transition system structure 
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Proposition 2 • The functors Ac and TS{—,Qts) ore naturally isomorphic. 

• The functors Ts and AC{-,ilAc) ore naturally isomorphic. 


2 Simulation equivalence and Kleisli category 

Given two transition systems T = {S,T),T' = {S',T') a simidation between T and T' is a 
relation HCSxS' such that: 

(1) : For any s £ S there exists s' € S' such that (s.s') € H. 

(2) : For any si sj € T if (si, s,) € H then there exists Sj 6 S' such that s'l — s'^ € 

T' and € V.. 

A bisimulation between T and T' is a simulation 72. between T and T' such that 72 
is a simulation between T' and T. 

Let consider the functor Sm : TS—>TS, defined on objects by Sm{S,T) = (p'*'(S),T'*') 
where : 

• p^{S) is the set of non empty subset of states of S 

• Vi Vj € T"*" iff for any Si € Vi there exists s^ € Vj such that sj S 2 6 T. 

Sm is defined on arrows by Sm(/) = /■*■, /■*■ being the extension of f : (S,T)—(S'.T') 
to the subsets of S. Intuitively the functor Sm maps a transition system T in the space 
of all possible simulations on T. 

The functor Sm has a natural structure of monad {Sm,T),p) so that we can consider 
the Kleisli category of Sm on TS, noted as TSsm- We characterise then simulation 
equivalence as follows: 

Proposition 3 Let T, T' two transition systems. Then there exists a simulation between 
T and T' iff there exists an arrow between T and T' in TSsm- 

3 Action algebras and Bisimulation 

A subalgebra A' of an action algebra (A, a) is given by a subset of elements of A which is 
closed under the operations. By using the isomorphism between A and p{At{A)), we can 
consider set theoretic operations on atoms of A; hence we define a subalgebra of (A, a) as 
a subset A' of elements of A such that: For any v € VC A' and for any x £ X the elements 
(il,A,UV,nV,-'tJ,a(z,i;) are in A' 

We can prove then: 

Theorem 1 Two transition systems T,T' are in bisimulation iff Ac(T), Ac(T') have an 
isomorphic subalgebra. 

The subalgebras of a given algebra are closed under arbritary intersections; in particu¬ 
lar the intersection of all subalgebras of A is a subalgebra which is the smallest (w.r.t. 
inclusion) subalgebra of A. This minimal subalgebra has a very interesting property: 

Theorem 2 Let T be a transition system and let Ao he the minimal subalgebras of Ac(T). 
Then the smallest transition system (w.r.t. number of states) which is in bisimulation with 
T is the transition system Ta(Ao) 
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4 Skeleton of an action algebra 

Note that in the case of a CBA the notion of minimal subalgebra is trivial, the latter 
always being the algebra {0,1}. The presence of actions in the category AC. makes this 
notion not trivial since for any x ^ X the element x.l (which in general is not 0} must be 
in the minimal algebra. Hence we are looking for a set the skeleton of the algebra A. 
that is the smallest subset of A containing 1 and closed under linear actions. 

is included in the minimal subalgebra of A and has moreover a natural structure 
of transition system (note that is a rooted transitions system, the root being the 1 of 
the algebra). 

We define then a skeleton homomorphism between two skeletons £, £' as a transition 
systems morphism which preserve the root and investigate the equivalence induced by 
skeleton isomorphism which we note ~j;. This is a rather weak equivalence. Indeed we 
have; 

Proposition 4 Let T and T' be two transition systems such that for any s 6 S there 
exists a trace-equivalent state s' € S' and for any s' € S' there exists a trace equivalent 
state s € S: Then T . 


# 









References 

[1] S. Abramsky. Domain theory in logical form. Proceedings of the 2nd annual 
symposium on Logic in Computer Science, 1987. 

[2] A.Amold. Systemes de transitions finis et semantique des processus comunicants. 
Masson, 1992. 

[3] T.Ehrhard, P.Malacaria. Stone duality for stable functions Proceedings of Cate¬ 
gory Theory in Computer Science, L.N.C.S. 530. 

[4] M.Hennessy, R.Milner. Algebraic laws for nondeterminism and concurrency 
Journal of A C M., vol 32, 1985. 

[5] P. Johnstone. Stone Spaces. Cambridge University Press 1982. 










- 256 - 


• • 






Semantics frameworks for 
a class of modular algebraic nets 

E. Battiston, V. Crespi, F. De Cindio, G. Mauri 

Dipaitinienio di Scienm (klllnformazione - Universitli dcgli Studi di Milano 
email: decindio@hennes.uniini.it 


▼ 






m 




Among the various proposals for an 'Algebraic Specification of Concurrency' [AR], 
OBJSA Nets [BDMa] are a class of algebraic high-level nets which combine Su^rpos^ 
Automata (SA) nets, a modular class of Petri nets, and the algebraic specification 
lan^ge OBJ. OBJSA Nets toother with their support environment OhX (OBJSA Net 
Environment), constitute a spet^icadon language for distributed systems which is called 
OBJSAN as each OBJSAN specification is mapped by ONE into an OBJSA Net 
[BDMb]. 

To enhance spedficadon modularity and reusability, an OBJSAN spedficadon is obtained 
by composing, via transidon fusion (i.e., superposidon), some OBJSAN (open) 
components. An OBJSAN component is a couple which consists of a net and an OBJ 
module. The net pm expresses the control of the system to be specified and the OBJ pan 
describes data modificadmi through occurrence of evenu modelled by net transidons. An 
OBJSAN component is either closed, if all of its transidons are closed, or open if it 
contains at least one open transidon, Le., a transidon which is only partially extensionally 
speciHed, since couples of its input/output places have to be idendfied through 
superposidon of the transidon itself with oth^ transidon(s). Open transidons represent ^ 
interface of the conqxuient toward other conqionents, and are specified by non executable 
modules (in OBJ called theories), while closed transidons are specified by executable 
modules (in OBJ called dieories). 

With the aim of defining a formal semandcs for this class of algebraic high-level Petri 
nets, two operators have been defined in [BDMR]: SpecL) and Unf(_). They map an 
OBJSAN closed component (in the following called OBJSAN system) C lespecdvely to 
an OBJ module Spec(Q called the Speculation module (by transladon of the net scheme 
into condidonal equadons and operattRs) and to a I-safe SA labelled pure net Unf(C) (an 
Elementary Net system) called the Urtfolding net (by transladon of the OBJ spedficadon 
into net elements). 

While Unf(_) well suppms concutrency since it produces Elementary Net (EN) systems, 
whose categorical semandcs has been defined in [DKPS], SpecL) is less satisfactory 
because of the loss of concurrency due to the OBJ3 sequential semantics. The idea is 
therefore to turn on the specification language MAUDE. 

Let us recall that MAUDE is a specification language syntactically similar to OBJ3 whose 
operational and denotadonal semantics were defined by Meseguer in [MESa]. In MAUDE 
there exist essentially two kinds of modules: functiontd modules (whose synm is entirely 
identical to OBJ3) and system modules. While operational semantics is concurrent 
rewriting for both of kinds of modules, denotadonal semantics is different. For the 
functional ixKx^es it is the usual initial algebra associated to the equational sp^ification 
(so MAUDE has OBJ3 as sublang For the system modules it is a categorical model 

which describes the system who> > ^faaviour is specified by the rewriting rules. 

More precisely let us consider a case uiat will be useful in the following. Suppose to have 
a MAUDE system module M which impOTts a functional module M'. M codes a rewrite 

theory R * (S, E, L, R) while M* codes a rewrite theory R' * (Z', E‘, L’, R’) where Z 

(resp., Z') is an equatitmal signature, E (resp., E*) is a set of Z-cquations, L (resp., L') 
is a set of labels, R (resp., R’) is a set of conditional rewriting rules of the type 
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1: IOe I*']e Cond, with leL and (tjeTj ECX) (resp. for R'). The operational 
semantics of the global specification is given by a categorical model in which objects are 

the elements of arrows are all the possible sequents [iJeuE' 

[('IeuE' inductively generated by the rewriting logic inference rules starting from RuR'. 
In practice this means that we have concurrent rewriting modulo EuE' on terms 

T 5 ;^j;<X) by using RuR' as rewriting rules [Mesa], i.e. concurrent rewriting in both the 
system niodule (called supermodule in the following) and the functional module (called 
submodule). 

The denotational semantics is given by a categtmcal model in which the objects are the 
elements EuE'uUnlibel(R')(X) “'d arrows are all the possible sequents 

IflEuE’uUnlabcKR) “» [t'lEuEuUnlabeltR') inductively generated by the rewriting logic 
inference rules starting from R. ^ the oenotational semantics treats the rewriting rules in 
the functional noodule as equations whose semantics is the initial algebra. Then only the 
rewriting rules in the system supermodule are interpreted as arrows (class of closed 
arrows) of die categorical riKxiel. 

According to these considertaions. here we redefine SpecO as the operator which maps 
an OBJSAN system C=(N,A) to a MAUDE system module which imports functional 
modules; a (conditional) rewriting rule in the system module is associated with each 

transition teT, while the functional subiix)dules contains the coded specification of the 
data structure of C (the information in A). 

As we are now able to associate a MAUDE noodule Spec(C) and an EN system Unf(C) 
with each OBJSAN system C, to give it a semantics we consider the categorical models 
developed for MAUDE modules ^y Meseguer [Mesa], see above) and for Petri nets (by 
Meseguer&Montanari [MM]) and we verify the isomorphism between the two semantics. 
As we shall see, both of the categorical semantics result to be redundant. The reason is 
that OBJSAN systems introduce, for modelling purposes, constraints on the marking: 
tokens are couples <a_name;some_data>, where the name represents the token identity 
which cannot change by transition occurrence and is unique in each elementary subnet of 
an OBJSAN system. Therefore, the net markings are multisets of tokens without 
multiplicity (i.e., sets) and the Unf(_) operation maps an OBJSAN system C to a contact- 
free EN system (while proper multisets at the higher level would require a P/T system at 
the lower level). 


MAUDE module: 
Spec(C) _ 


1 ". 

C=(N,A)^ 

1 ”' 

Unf(C) _ 

EN system 






Lemma 


N, Lemma 
S 



Conditional (6) 

rewriting ■ 
theory Rc 

. I 


(3) Instantiation 
theorem. 


2 


Ground (7) 

rewriting - 

system Tc 


fig 1 


Full subcategory of tR obtained 
constrainig logic rewriting 
inference rules. 


Partial commutative monoid 
on a category. 


The relationship between Spec(J and UnfL) is stated by a theorem that we call 
'instantiation thetKcm' as it proves that by instantiating the rewriting rules of the system 
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pan of Spec(C) with ground terms and considering only those rules whose predicates are 
reduced to true (representing transitions with a chance of occurring), we get the 
transititMis of Unf(C). 

More formally, let C«(N,A) be an OBJSAN system and let us derive its MAUDE 
Spedficatkm module Spec(C) and its UnMding net Unf(0 (arrows 1 and 5 in fig. 1). 

As we have seen, Spec(C) codes two rewrite theories /?*(Z. E, L, R) and R'H'L', E', 
L', R'). respectively associated with the system module and with the functional 

submodules. The rewriting theory Rc=(Zur‘. EuE’uUnlabel(R‘), L, R) (arrow 2) 
gives the denotational semantics of Spec(C). according to [MESa]. 

According to the constraction given in [DKPS] which specializes the 
Meseguer&Montanari wotit for P/T nets to EN systems. Unf(C) can be translated into a 
set of ground rewriting rules which we name Tc (arrow 4). For example, a transition t in 

an EN system is translated in the rewriting rule S]0..0s„ -* s']0..0 s’m 

[commutativity, associativity, identity: X] where •t*(si...,Sj|) and t*={s’i,..,s'n,}. Tc 
gives the denotational semantics oS Unf(Q, according to [DKF^]. 

Then, the instantiation theorem (arrow 3) states that by instantiating the open 
(conditional) rewriting rules in Rc with ground terms and considering only the 
conditional equations whose predicates are rethirad to true we get Tc. In the following we 
sketch its proof, whose kernel consists of three constructive lemmas related as shown in 
fig.2. 


H !^pr(md„()) 


•m • fmy -* fm<SPEC> 



L«gnnia3 


C„e„{t„y„)®..®C^e„(t„,yj„) - 


®(»y|i.i)® ••®(tyjn..n)) -♦ 

ty„ ,{e(md()))®..®ty',„ bnieCn’dO)) 


with md„() - mod«(t„y„....t,„y^). md()-mod*(ty,, ,....ty,„^). 

fig 2 

Taken a transition te T of an OBJSAN system C and a ground substitution 6 of the input 
arc inscriptions (representing an occurrence mode enabling t in a certain maridng) we get, 
via igtTwna 1, a conditional rewriting rule rt with a ctHresponding ground substitution 6,„ 
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for var(rt) and, via lemma 2, a ground rewriting rule td. Lemma 3 closes the cycle: by 
instantiating it with 6^ we get td. 

The rewriting system Tc is obtained directly by applying kmma 2 to the transitions of C. 
The rewrite rules in Rc=(]Li. Ej, L], Rj) are obtained directly by applying lemma 1 to 
the transitions of C, while the equadons Ej concern the data part of C. As we have said, 
the MAUDE functional modules specify data, i.e., the tokens carriers, the occurrence 
predicates tmpr and the arc inscriptions containing variables tn,y and operators t,„y'(). In 
fact the carriers of tokens together with the operations defined on them are abstract data 
t 3 rpes. We instead use system modules to specify control. i.e.. local transitions. 

The idea is that concurrent term rewriting in system modules captures the concurrency 
expressed by the control pan of the net, while concurrent term rewriting in functiontd 
monies performs the parallel computation of the operators ty'. Lemma 3 proves the 
semantic equivalence between Spec(C) and Unf(C). namely between the concurrency 
expressed by the system module, captured by Rc, and the concurrency expressed by the 
Unfolding EN system, captured by Tc. Besides, the lemma proves that the concurrent 
application of two conditional rewriting rules in Rc rl and :2 to a marking term s (with 

substitutions dmi and 6ni2) represents the concurrent occurrence of the two 
corresponding low level transitions rl6) and r262 in Tc in the marking represented by s. 

Let us now discuss the redundancy of the two categorical mot'els due to the constraints 
which characterize OBJSAN systems. 

a) The categorical model proposed by Meseguer, when applied to our case (Rc), is 
r^undant because the inductive process generation of the category (by rewriting logic 
inference rules) would produce arrows witiiout corresponding net computations. We get 
the ctRiect model constraining the logic rewriting inference rules. What we obtain is a ^11 
subcategory of the Meseguer' original model in which objects are associated with 
admissibles net states only (arrow 6). Such states are denoted by terms not containing two 
or more identical tokens: this is because OBJSAN system markings do not allow multisets 
of tokens with multiplicity. From the t^ierational point of view, proofs in this modeled 
Meseguer formal system, represent the simultaneous application of several rewrite rules in 
Rc to a correct marking term, so that the concurrent term rewriting models concurrent 
transition occurrence. In practice, since we can consider only marking terms s without 
multiplicity then it is possible to concurrently apply two or more rewriting rules ri of Rc to 

s if and only if the corresponding matching substitutions 6^^ do not share any token (i.e., 
the occurrence modes are disjoint). 

b) The categorical model for P/T nets defined in [MM] is redundant when applied to EN 
systems, as shown in [DKI^j. The redundancy is eliminated by reducing the parallel sum 
carrier, leading to a partial commutative monoid on a category (arrow 7) (cf. in [DKPS] 
the category). 

By removing the constraints characterizing OBJSAN systems we fall in the more general 
class of SPEC-inscribed nets [REI] to which UnfO and Spec(_) can be extended: in that 
case the Meseguer and Meseguer&Montanari categorical irxxlels would not be redundant. 
Nevertheless, as a counterpart, SPEC-inscribed nets do not support modularity and 
therefore they have not a notion of parameterized open component. Indeed, our current 
effort is extending the approach to OBJSAN open components semantics towards using 
the categorical firamewoi^ presented here for characterizing concurrent object-oriented 
languages (cf. [BCDM] and [MESb]). 
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Introduction 

We compare in this paper graphic and algebraic representations of parallel networks of processes. More exactly 
we characterise the class of graphically definable networks that can be represented in LOTOS, that is to say 
by means of a LOTOS expression which combines the processes in the network by instances of the LOTOS 
parallel operator. 

Unfortunately the obtained characterization is far from trivial, and due to its complexity, even someone 
could think that it should oe not named in such a way. Thus, instead of a characterization we could say that 
what we have obtained is an efficient algorithm to decide if a given network is representable. But if finally 
we have decided to insist on the use of the word c&snictenrstioa, it is mainly to emphasize the efficiency of 
the obtained algorithm. Due to the finite nature of the considered problem it is obvious that it is decidable; 
but at the same time, its combinatorial flavour makes reasonable to expect an exponential complexity, and 
even to coiyecture that the problem was NP-complete. As a matter of htct we thought for a long time that 
this was the case, once we proved that several, more and more sophisticated, natural algorithms to solve the 
question were not correct. 

The work was motivated by our joint work with T. Bolognesi in (3,2], exploring the (partial) associativity 
properties of the LOTOS parallel operator. First results on the subject, obtained by our colleague, were 
presented in [1]. Another contribution to the study of the subject is (4), where a simple example proving 
that no every parallel network is LOTOS representable was presented, but no characterization of the set of 
representable networks was there presented. 

We consider that the work is interesting for several reasons. First it compares two different formal methods 
for defining concurrent systenu: a graphical approach, that we formalize using some basic graph notions; 
and an algebraic approach, mainly the LOTOS language (or equiv^ently CSP with its generalized parallel 
operator.) Characterizing the kind of networks that are LOTOS representable, we show at which extend 
this kind of graphical representations can be used to specify systems, when we want to use the algebraic 
framework to analize, or to transform, the obtained specifications. On the other hand, if we focus on the 
algebraic formalism, we show which are the exact limits of the expressing power of the (LOTOS) parallel 
operator. 

Besides, we consider that the proof of the characterization is rather interesting by itself, showing an 
application of many different techniques for showing properties of algebraically defined systems. The use of 
operational semantics, induction, normal forms, reductions of difficult instances of the problem to more simple 
ones, and some others, are illustrated. 


Definitions 

In the following we will sketch the main definitions and results to be extended in the full paper. 

Definition 1 A general process-gate net GPGN is an undirected bipartite graph (P,G,E), where P is a set of 
so called process-nodes, G is a set of gate-nodes, and E is a set of arcs E C P x G. □ 

Definition 2 A labelled process-gate net LPGN is a triple (GN,GL,AL) where GN = (P,G,E) is a GPGN, 
GL : G —* Gates is a labelling function, and AL : P — V{Gates) is a function defining the (maximal) alphabet 

*This work ha* been partially eupportad by ESPRIT Project 2304: LOTOSPHERE 
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of the pioceaees to be associated to each process node, such that 'i{Pi,g) € E GL(g) € AL(P,), and 




VP, € P Va € AL(P,) 3^ € G 3e = (P., j) € E \ GL(g) = a 


□ 

Remark: The last condition in the previous definition is included in order to give a chance to be executed to 
any appearance of an action in the process labelling each node. 

DefiniUon 3 A concrete process-gate net CPGN is an instantiated GPGN, which means a pair (LN,PL) where 
LN = (GN,GL,AL), with GN = (P.G.E), is a LPGN, and PL . P — Proc , with Alpkahet(PL(P,)) C AL(Pi ), 
for each P* € P O 

This definition is more general that the one given in [3], where GL had to be iqjective, and each process 
haul to be connected with any gate-node labelled by any of its gates. This restriction was there included (and 
also in [1]) in order to formalize the so called msztms/ cooperaftoa prtnctp/e, which oblidges to any process 
including a gate in its alphabet, to cooperate to execute the corresponding action. We have dropped this 
restriction, what have already been done (although in a different framework), in [2]. 

Deftnition 4 (Operational semantics of CPGN’s) 

Let CPGN = (LN,PL) a concrete process-gate net with LN = (GN.GL.AL) and GN = (P,G,E). For each 
9 € G, if all the processes Bi labelling process-nodes connected with g can execute the action GL(g), evolving 
into B[, then CPGN can also execute that action, evolving into CPGN’ = (LN,PL’), where PL’ is defined as 
PL, but taking PL'(Pi) = fi|, for each process node P, connected with g . □ 

We want to decide if for a given LPGN we can construct an equivalent LOTOS representation LRep(LN), 
which means a parallel expression combining the process variables in P, by parallel operators |[S]1, with 
5 C Gates , such that for any concrete instance of LN, CN = (LN,PL), we have CN ~ LRep(LN)[PL(P,)/Pi ], 
where by [Pi/P,] we denote the substitution of all the appearances of the variables P, by the corresponding 
processes Bi . 

We apply a constructive method to answer the question, so that whenever there exists any LOTOS ex¬ 
pression representing the given network, we obtain one of them. 


The algorithms to check LOTOS-representability of a network 

To solve the problem we have followed a three steps procedure, generalizing at each step the kind of networks 
that can appear as input. 

In the first step we consider the case in which the given network has a single gate. This simple case is 
studied, just because to solve the general case we have first to solve each of the problems corresponding to 
the projection of the network over each one of its gates, and then to check if ail the obtained solutions are 
somehow compatible each other. 

But this reduction of the problem to a family of problems corresponding to single gates, only works 
whenever all the alphabets of the process nodes of the network are the same, and thus for each process-node p 
and gate a there is some gate-node g labelled with a connected with p. This is the case that we have studied 
in the second step of our procedure. 

Our first idea in order to solve the general case was to try to reduce it to that particular case. But that 
showed us to be not possible, since the fact that any process appearing in the expressions computed along the 
application of the algorithm, could eventually execute some action through any of the gates of the network, 
was crucial in order to prove the correctness of the tdgorithm. 

Therefore we had to change our approach to the question, looking directly for the appropiate generalization 
of the algorithm to solve the general instance of our problem. If finally we have decided to include in this 
paper the solution for the previous (partial) case, it is mainly for pedagogical reasons, since both the general 
algorithm and ito correctness proof are absolutely inspired by the corresponding ones for that particular case. 

First Case: Networks with a single gate 

We consider in this section the particular case in which the system has a single gate, that is to say |GL(G)| = 1. 
In such a case the kind of parallel expressions in which we are interested, can be represented, as already 
suggested by T. Bolugnesi in [2], as arithmetic expressions, rewriting ||| into -f and |[o)| into • 












264 



We can translate the definition of the operational seniantics of LOTOS to this arithmetic framework, 
obtaining the following rules 

r* . r*/ r* ^ . 17# C ^ r*# r * r»f 

■C'l • £'1 £<2 ' £<2 £»! ' /I/j £<2 '* £'2 

+£j £, + £, -L. £, + r' Ei Ei-^ E\ E'j 

Besides, the commutativity of Loth operators and the distributive ttxiom (£1 +£ 2 ) - £3 = (Et E 2 )-h(Ei- £ 3 ) 
are also correct in this framework. Then our problem reduces to prove if that expression can be rewritten into 
another (equivalent) one with a single occurrence of each process variable, by application of the commutativity 
of both operators, and of the distributive axiom in the ngkt to left way. 

In order to check that property, we concentrate on the root operator of the (present state of the) expression 
to be reduced. If it is a product, then there cannot be any common process variable in its two arguments, and 
thus the problem can be reduced to the simplification of both arguments. Otherwise we select any process 
variable with more than a single occurrence in the expression, and we try to elliminate its repeated occurrences 
by application of the distributive axiom. If it is not possible, then the algorithm fatU, concluding that the 
original network is not LOTOS representable. Otherwise we iterate the process until there will be no variable 
occuring more than one time in the expression. Since there is no necessity of any backtracking along the 
application of the procedure, it is easy to check that using the adequate data structures to represent the 
involved expressions, the cost of the algorithm is (in the worst case) cuadratic on the size of the network. 

An important auxiliary result, which besides is rather interesting by itself, to prove the correctness of 
this algorithm, is the one telling us that two essentially different (up to commutativity and associativity) 
expressions with single appearances of each process variable, are not equivalent. This result could seem to be 
trivi 2 d, what it is somehow disproved by the (relative) complexity of its formal proof. As a matter of fact the 
correctness proof of our algorithm (which, at least in our opinion, is far from obvious) is nearly immediate 
once one can use for it this auxiliary result. 

Second Case: All the process nodes have a common alphabet 

The second step covers the case in which ail the process nodes have the same alphabet, which implies that for 
any process-node p and gate a there is some gate-node g labelled with a and connected with p. 

In this case the procedure begins by the application of the algorithm corresponding to the previous case 
to the projection of the given network over each one of its gates. If any of them is not LOTOS representable, 
neither the full network is. Otherwise we have to check if all the obtained expressions are compatible each 
other. This means that they can be obtained by projecting over each gate the LOTOS expression that we are 
searching. Thus we have to check if the hierarchical relations between the process variables, induced by the 
expressions corresponding to each gate of the network, are not contradictory. 

For we use the fact that for each set of gates A, the corresponding parallel operator |[A]| is associative. 
Then we can write the expressions involved in the process, in what we call normal form, which is formidly 
defined by 

Definition 5 a) If £ 1 ,..., are process variables and A C Gates , then the expression £ = |[A]|(£i,..., P„) 
is in normal form, and we will say that the set A is its root synchronization set, which we will denote by 
rss(E) ■ 

b) If £t. Ek are expressions in normal form, with rss(Ei) = Ai, and A C Gates verifies A At, for each 

> € {1,.. ..it} , then the expression £ = |[A]|(£i,.. .,£t) is also in normal form, and we take rss(E) = A . O 

Then, in order to check the cousistency of two expressions in normal form, £ = |[A||(£i,..., Em) and F = 
|[£]|(Pi,..., F„) , we first study if its common set of process variables can be partitioned in a family of subsets 
P*,..., P‘, in such a way that for each i e {1,... ,f} either exists some j € {1,. ■., m) with Processes(Ej) = 
P' and some K C {!,..., n} with Processes(Pt) = P', or there exists some j £ {l,...,n) with 

Proces3es{Fj) = P* and some K C {1,..., m) with UtgK P^ces3e3{Ek) = P’. If this is the case our problem 
reduces to a family of instances of the same problem, with an instance for each i £ otherwise the 

given expressions are not consistent. Those instances of the problem are defined in the following way; 

• If 3ji £ {1,..., m) 3 j 2 £ {1,..., n) | Proce33e3{Ej,) = Processes(P^,) = P', we check the consistency 
of Ej^ and Pj,. 

• If 3j £ {l,...,m} 3A' C {l,...,n} | |A'| > 1 A P^ ■sses(£j) = (JteK ^'^‘^*****(^*) = . we check 

the consistency of £j, and 
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• If 3j 6 {1. • • ■. n}3A’ C {1.m} [ jA'I > lA ProcesaesiFj) = Prt>ct3ses{Ei,) = /” , we check the 

consistency of |[i4]|tex(£'t) snd Fj . 

If kll these tests sre passed then the given expressions are consistent; if this is the case, we also obtain the 
expression D which combines the structures of both expressions. Otherwise, they are not consistent, and thus 
they cannot be combined into a single expression. 

The cost of this algorithm is cuadratic on the size of the given expressions, and thus the cost of the 
presented algorithm to test LOTOS-representability in this second case, is less than cubic on the size of the 
given network. 

The General Case 

As in the previous case we begin by solving the problems corresponding to each gate in isolation. But in this 
case, when considering the subproblem corresponding to a gate g, the process nodes which do not contain that 
gate in its alphabet, are not considered when applying the algorithm described in our first step. Nevertheless, 
once we have the corresponding solution, we add those processes as new sons of the root of the solution. 

It is clear that whenever |[j]| is the operator labelling the root of the expression, we obtain an imposstbU 
synckronizaiion, since g is not a gate of any of the added processes. But the key idea in order to guarantee 
the correctness of the algorithm, is that such LOTOS expressions are not interpreted by our algorithm in the 
ordinary way; instead it uses a modified version of the semantics of the parallel operator, which considers that 
if we have an expression E = |(A]((f7i,..., f7„), and we want to execute some a 6 A , only those processes Pi 
including a in their alphabets will have to cooperate to do it. 

This change implies that the hierarchical structure induced by an expression is no more unique, since the 
processes which do not contain the corresponding action in its alphabet, could have been added anywhere, and 
not just below the root of the expression, obtaining a set of different expressions, which however are equivalent 
with respect to that modified semantics. 

This imphes that when we check the compatibility of two expressions, we have to let the processes no 
containing the corresponding gates, to move down into any argument of the corresponding expression, if that 
is necessary in order to match the structure induced by the other expression. 

In order to generalize this idea, to apply it when we have to compare two expressions which have been 
obtained by composing the solutions corresponding to several gates, we introduce the notion of independency, 
for sets of expressions. We say that the elements of a set of expressions are independenf iff their alphabets are 
disjoint each other. Then, whenever we are comparing two such expressions, and we have inside any of them 
the parallel composition of a family of independent subexpressions, we can put all together obtaining a single 
subexpression, if that is necessary in order to match the structure induced by the other expression. 

Thus, the second step of the algorithm for this general case is obtained from the corresponding step of the 
algorithm for the previous case, by relaxing the condition which imposes that for each set P' in the considered 
partition, we have either to find some single subexpression (or Fj ) with Processes(Ej ) = P' (or equivalently 
for Fj), allowing now to have instead a family {£) I j € d} (or equivalently for F’s), of independent processes. 
When we use that possibility, and for each j € d we have E, = |[A,)l(£ji,..., Ajm,) then the expression to be 
compared in the instance of the problem corresponding to P ', will be that given by ,mj)(£jt) ■ 

Finally, if the algorithm succeeds, those impossible synchronizations remaining in the obtained solution are 
removed, since they were only added as a consequence of a technical trick, to obtain an algorithm as similar 
as possible to that corresponding to the second case. By removing them we recover the ordinary semantics 
for the parallel operator, and thus the obtained expression is indeed the representation of the given network. 
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Process algebras, such as AGP, CCS, CSP and LOTOS, are widdy accepted formalisms for the 
‘functional” specification of concurrent systems, where functional means that a process term 
specifies what actions the system should do. Bisimulation is a standard tool for the definition of 
a behavioural equivalence on process terms which, besides the actions, considers the structure of 
the alternative choices (branching-time semantics). 

Another, not less rdevant, aspect of a system specification is its “performance”, i.e., the measure 
of the time consumed for execution. It may be argued that performance is only a matter of efficient 
implementation. This is untrue: For applications whose functionality is performance-dependent 
(i.e., it can be altered by the flow of time like, e.g., in presence of time-outs), it is reasonable 
to require that a specification does not allow implementations which do not have an adequate 
performance. 

Our work gives a contribution in the direction of integrating the two needs by presenting a new 
bisimulation-based semantics, called performance equivalence^ for a simple process algebra where 
systems are equated if they perform the same actions in the same time (i.e., they have the same 
functional and performance behaviotir). 

The basic assumptions on which this semantics relies are the following. Any action a has a 
duration — a natural number /(a) — which represents the time units needed for its execution. 
Every sequential subsystem is equipped with a dock, whose elapsing is set only by the execution 
of actions. To be more predse, whenever an action a is executed by a sequential subcomponent 
P, the value n of the local dock of P is incremented to n -|- /(a), whilst the local docks of those 
sequential components not invdved in the execution of a are unaffected. Hence, if F* is idle during 
a transition, its local dock value cannot increase. In other words, each sequential subsystem is 
always eager to perform an executable action (or dually “actions are urgent”): the time value is 
incremented locally only when the executable action is performed. The only exception is concerned 
with synchronization. Two processes can synchronize when they perform the same action at the 
same time; if one of the two is able to execute such an action before the other one, then a form 
of “busy wsdting” is allowed. This fact shows that the local docks are indeed locally replicated, 
possibly incondstent, versions of the unique physical global time. Indeed, the time is the same 
for all the sequential components; the only point is that we do not pretend that all the local 
views be consistent during the simulation. This assumption is rather natural if we are interested 
in performance evaluation only. In a simulation there is no need of having a tight agreement 
between the time of execution (i.e., the number attached to the executed actions) and the time 
of observation (i.e., the time of “generatioL” of the action during the simulation). 

A simple example may be helpful in daiifying the bade idea. Condder the term E = a.g.nil || 
b.nil. Since the dock is set to 0 befc< e starting the execution of E, the initial state of the 
trandtion system is (0 a.g.nil) || (0 ^ b.nil), where the auxiliary operator n^ P means that 

*TUs work kw been partUUy supported by Esprit Bssic Research project BROADCAST n.6360 snd by Italian 
CNR, grant n. 92.00069.CT12.115.25585. 
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the execution of P starts exactly after n time units of the global clock. One of the two transitions 
out of it is labelled (a,/(a)) and reaches (/(a) => g-nil) || 0 =>• b.nil. By executing b, we reach 
the state /(a) => g.nil || f{b) =» nil; finally the execution of g produces a transition labeled 
+ f{9)) with target state (/(a) + /(g) nil) || /(b) => nil. It is immediate observing 
that the time needed for the complete execution of the system is max{/(a) + /(g),/(b)} and 
that bisimulation equivalence over this labelled transition system is more discriminating than 
interleaving bisimulation. Indeed, the equation a.nil || 6.nt/ = a.b.nil + b.a.nil does not hold 

0 => a.nil 11 0 =► b.nil /(a) => nil H 0 ^ 6.mi **.:£^1** f(a) => nil 1| /(b) =► ntl 

0 =► a.6.ni/ + 6.o.ni/ /(a) => b.nil /(a) + /(b) => nil 

as the execution of h after a in the left-hand-side term is performed with a higher clock value. 
Notice that, if /(a) > /(b), then the execution of a before 6 in a.nil || b.nil generates two 
transitions where the clock value is decreased in the second transition. This phenomenon has 
been criticized in real-time literature (e.g., [2]), because in this context the time of execution and 
the time of observation are required to agree tightly; however, a recent report [1] shows that this 
view can be reasonably accepted also in real-time applications, provided that those “ill-timed” 
traces are “well-caused”, as we do here. 

The simple process algebra C we study has operators borrowed from CCS and TCSP; 

E nil I a.£ 1 £-b £ I £ lU £ 1 £[*] 

where, for the sake of simplicity, we assume that 4 rdabds actions with the same duration, i.e., 
/(o) == /(^(<^)) must hold for any a. £ is eqtiipped with an SOS semantics in terms of labelled 
transition systems. The states are terms generated by the fi^owing syntax: 

e ::= n => nil \ n => a.E | s -I- s | s ||x s 1 5[$] 

where £ denotes any (finite) £ term. When prefixing a term £ with a clock value n, n => £, we 
mean that n distributes over the operators, till to the sequential components. Formally: 

n=>(E+E‘) = (n=> E) + {n=> E') 

n=>(£|U£') = (n=>£)|U(n=>£') 

(£[♦]) = (n =>£)(♦) 

Hence, n ^ £ is (canonically) reduced to a state. Each transition is labelled by (a,n)iru: the 
observable part is (a,n), meaning that action a has been completed exactly after n time units, 
while the location part a> is a term pointing out which sequential subagents have been invdved in 
the execution of action a its^. The latter part, irrelevant from an observational viewpoint (and 
thus omitted in the previous examples), is used to guarantee a correct updating of the local clock 
values in steps of synchronization. Locations are generated as follows: 

u; ::= • I u;J | [w | cv || u; 

where • (one place) means “sequential”, while urj ([<•;) means that the system is composed of 
two main parts and that u; comes from the le/t (right) part; the operator || is a form of (disjeunt) 
union of locations. The rules for prefixing, sum, relabelling and parallel composition (where the 
obvious s}anmetric rules are omitted) are: 


n=^a.£“-^fc=^£ 


k = n + /(a) 


a a' 
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(a.n)*w , 
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—» 3, Si 
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(a,nj)*wi 


a'l lU ((»»li‘^]«'2) 


if a € A and > n 2 


where the auxiliary (tme-update operator [tii , 1 ^ 2 ] applied to in the synchronisation rule increases 
to fii the clock value of the sequential components of s'^ singed out by uj. Indeed, two sequential 
subsystems can synchronize via the same action a performed during the same time interval; hence, 
if one of the two is ready before the other one, it must wmt. Formally, some of the equations 
defining the time-update operator are: 

[n, •](m => a.E) = n => a.E 
[n,wj](3i lU * 2 ) = (Kwl*i) \\a 
[n,a;i || wjKsi |jx s,) = ([n.wijsi) \\a ([n,u;2]«2) 

Finally, we introduce an amdliary operator which forgets about the additional location part on 
the labels. The Torgetful” operator, F(s), is defined as follows: 

F{s)^^F{3f) 

We say that two C terms Ei and £2 are performance equivalent, Ei £ 2 , if and only if 
£(0 ^ £ 1 ) is bisimilar to £(0 => £ 2 ). 

Performance equivalence is preserved by all the operators, except paralld composition (the 
counter-example is the same proposed by A. Rabinovich to show that partial ordering bisim¬ 
ulation is not a congruence). A complete proof system for performance equivalence can be easily 
provided with the help of some auxiliary operators. Two terms £1 and £2 are performance equiv¬ 
alent if and only if £(0 => £ 1 ) is proved equal to £(0 => £ 2 )< according to the following axioms. 
Besides the usual laws for bisimulation (-(- is a commuative, nil absorbent monoid), the distribu¬ 
tive axioms on states and the axioms for the time-update operator listed above, there are axioms 
which transform each state in a tree labeled also with the location part, itnd some more axioms 
that, taken such a tree, forgets this location part. Some of them are reported below: 

n a.E — ({a,k)**).{k => E) for k = n-|-/(o) 


lU •*2 = ®lji**2 + ^iLx* 2 + lx *2 


({o,n)*u;.si)Jx»2 = ((«,»») ♦wj).(si lU <2) if a ^ A 


F{{a,n)*u.s) = (a,n).£(s) 

Hence, the procedure for checking if two terms are performance bisimilar is as follows: first, 
generate a tree out of a state; second, forget the location part; third, check their equivalence 
according to the axioms of strong bisimulation. 

PerfOTmance equivalence is a non-interleaving semantics which is based on the notion of time- 
consumption. It is interesting to see what is the rank of this equivalence in the large spectrum 
of non-interleaving semantics proposed in the literature. It can be proved that partial ordering 
bisimulation [4], is finer than This is quite obvious as causality ^ves enough information 
to recover the time needed for execution. The reverse does not hold in general; however, it can 
be proved that if the two systems are time-deterministic (there are no reachable states with two 
outgoing transitions labdled by the same action at the same time), then performance equivalence 
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induces a semantics which is even fineT than Let us consider ST semantics [7], Performance 
equivalence is strictly liner than ST bisimulation semantics. The counterexample is easy: consider 
the two terms a.nil || b.nil and {(a.c.nil He {b.nil + c.n» 7 ))[Vc]- These are ST bisimilar but not 
performance bisimilar, as in the latter system, action b can be completed also after f(a) + /(6) 
time units. This example may also help in clarifying in which sense our semantics is not “real- 
time”, according to some papers in the literature (see, e.g., [8]). A different operational semantics 
for synchronisation, which is claimed “real-time”, requires that both agents are ready to perform 
the same action at the same time, without any busy-waiting. This solution, proposed in, e.g., 

[1], forbids several executions that we prefer to keep; for instance, the synchronisation over c in 
the example above. Indeed, our treatment of nondeterminism is similar to an internal choice: 
first, each local component decides (with zero delay) which action it wants to execute, then it 
tries to export the action to the top level, possibly ddayed by synchronisations. If successful, the 
execution takes exactly the right amount of time; otherwise, the action is not executed at all. As 
all the local chcuces are to be taken into account, all the possible executions are represented. (Our 
view is shared by other researchers, proposing simil ar ideas in different contexts [3, 5].) 

This semantics is a priori of timed calculi (no specific operators have been proposed to this 
aim) and real-time is not an issue of this paper. Nonetheless, we feel that our approach to time 
in system executions can be helpful for a formal description of time-dependent progr ammin g 
constructs such as timeout, watchdog, and so on. In conclusion, the aim of our study is to provide 
an approach able to incorporate time into formal specifications, in order to capture functional 
and performance behaviour of distributed and parallel systems. Nevertheless we are aware that, 
because of the ineherent random nature of the investigated problems, the concepts of random 
variables and stochastic processes represent the unique well-founded discipline able to describe 
performance aspects of computer systems. Thus, even if other alternative (or complementary) 
approaches can be studied (e. g. Stochastic Petri Net models), our next purpose will be to replace 
specific, deterministic time duration values with time probabilistic distribution duration functions, 
in order to provide a uniform integration of the theories of process algebras and performance 
evaluation (see, e.g., [6] for a preliminary study). This justifies the title of the paper. 
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Modal logics are an important tool in the analysis, apec- 
ification and verification of reactive systems. Among many 
other applications, logics like HML have been used as a 
benchmark for semantic equivalences [8], as the specifica¬ 
tion language used in model cheeking tools [1], and as a 
language in which to explain why two systems are not se¬ 
mantically equivalent [10]. 

Regarding ntodal characterisations of semantic equiva¬ 
lences, the classical result is the adequacy theorem of Hen- 
neasy and Milner who showed that two states in a (finitely 
branching) transition system are bisimilar, written P£i 4 , iff 
they satisfy the same HML formulas, written p Sattt f • 

where p ^ V/ € i (p h / o « N /)• 

Here we are mostly interested in modal l<^cs with past¬ 
time (backward) operators. A few exist. They have been 
used (among other applications) to capture non-continuous 
properties of feneraluetl transitions systems (Jt in [9]), to 
capture history-preserving bisimulation in causality-based 
models (Lp in [2]) and to capture branching bisiinulatioa 
by mimicking ba^-and-forth r-bisimulation (Lb in [5]). 

In this paper we give three non-trivial transla¬ 
tion theorems of the generic form L<L' showing, given 
any formula / from some modal logic L, how to build an 
equivalent f ^ L'. This kind of problem has not received 
much attention in modal logics of reactive systems 'S'* the 
existing results in temporal logics mostly deal with iu.r r- 
time logics. 

Our translations are defined by rewrite rules (to apply 
with a given strategy) over formulas. A consequence is 
*hat, once discovered, the translations are easy to imple¬ 
ment. Our motivations are not only theoretical. For ex¬ 
ample, by showing bow to translate HMLt/ (HML with 
past-time connectives) into its future-time fragment HML, 
we show how to easily expand the input language of any 
software tool (e.g. a verifier) handling HML properties. 


•Um-MAG, 48 Av. Ffiu ViaUat, F-38000 OraMbie, 
FRANCE. Emaa:{fraiieaii,plw}ttliSajnucir 
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1 Backward modalities 

We consider a fixed set A = {a, i,...} of Uhtls. A UMti 
trsnsitiea system (LTS) is an edge-labeled graph (Q,-*) 
where Q = {p,f,...} is a set of states and —»C Q% AxQ 
is the trsastties relation. We assume a fixed LTS 5. 

HML^j is HML with past-tense modalities’ and has 
the following grammar: 

HMLat^f.g ::= T | -/ [ / Ay ( (a)f | 

where a is any action from A. (HML is the fragment 
of HMLh/ where the (a) operators are not allowed.) 

.. denote HML formulas and we use the 
standard abbreviations: / V y, X, [a]f for -•(a}->/, ... 

A modal logic with backward modalities states proper¬ 
ties of a ma » = [flo ^ ^ fln) of S, that is, of state 

y„ with a given history (or past). We write » ir' when 
run w' law with a transition fn yn.fi added. For a run 
w and an HMLij formula/, we define x ^ / by induction 
on the structure of /: 

w 1= (o)/ iff there is a » -2» s' s.t. s' ]= /, 
w ^ (a)/ iff there is a s' -2* x s.t. s' |= /. 

(the other clauses are obvious.) Then, for a state q € Q, 

the derived notion y )= / is given by y ]= / ^ M N / 

[5] mention that p =HMUt 4 KXV because (strong) 
bisimulation coincides with (strong) back-and-forth bisim- 
ulation [3]. This entails p Sayi y iff P y- 

We ate looking for a more detailed comparison of the ex¬ 
pressive power of HML and HMLif. We consider whether 
formulas of HMLi/ can be translated into HML. This re¬ 
quires some definitions; 

Definition 1 Two formnlaa are globally equivalent, writ¬ 
ten / S, f', iff w ^ / O ■■ N /* in all 

LTS’a. 

They are initially equivalent, written f Si r> *ff q ^ 
/ as y ^ /* for all states in all LTS’a. 

Clearly, f Sf f implies f Si ff but the converse is not 
true. Sf is a congruence; when f Sg f* with / a subfor- 
mula ot y then y S, f\J'lf\- This does not hold for =< 
which is only a congruence w.r.t. boolean contercts. 

>U «M iotioducad in [6] tor •yztcms with r’« (but note that 
HMLgf is a subset of Jr <Mne<l in [8].) 
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DeflaitkMi 2 A logic L coo he troo^oUd (retp. toUtoUg 
trooolotci) ioto V, tirntte* L ■</ L' (ntf. L V), iff for 
o*g f € L <*«»« is 0 f € L' with / Sf f (rt$p. / S. f )■ 

L L’ implies Sc> C Sl but the convene is not true in 
general. 

Thnoram 1 HMUj :<i HML. 

The proof uses three steps. 

• Say a f<»mula is resiricied if it has the form (a)/, 

i^f or with / a rctirieled coujmmei, i.e. a (pos¬ 

sibly empty) conjunction of restricted formulas. (We use 
V>i... to denote restricted formulas.) Then 

Lemma 1 i4ay / ts egoivolent to o diojonction of re¬ 
stricted conjonets. 

• Say a formula is separated if no backward modality occun 
in the scope of a forward modality ’ (and write HML\Y 
for the fragment of HMLsj that contains only separated 
formulas). 

Lemma 2 Any restricted tp is egmivoleot to a separated 
formula. 

Proof Rewrite ifi into a aepstfsted formula using: 

(a)(VAWv») Ss {iA(a)V- vltb. 

(o)(V>A-n(6)v») Sf I l^A{a)d. 'ifatb. 

Any restricted non-separated formula can be rewritten ac¬ 
cording to one of these equations. Applying an outer¬ 
most strategy guarantees that non-separated subformulas 
remain restricted conjuncts. Termination is clear. I I 

Propositkm 1 (Separation lemma) 

HMLsj HML\Y (1) 

is the immediate corollary. (Observe that (1) does not hold 
for Gabbay’s definition of separated formulas.) 

Now we conclude the proof of Theorem 1 with 

Proposition 2 HML\y HML. 

Prortf Use Ja)f J. to eliminate (modulo =,) any pastr 
time modality which is not in the scope of a future-time 
modality. CD 

*Note that [ 6 , 7 ] use a diilBrait, Iw scneral, definitioa of tep^ 
rated fisnailM say a fonmla ia rsre-/star* if it does not com si n 
ra** tianT operator, is psTe-ysst if it does not co ma hi future-time 
operator, and »ttponisd (ia GekUt's statt) if it is a boolean com- 
binatioo of pure-psst and pure-future fomndss. 


2 r-moves, from Li/ to Lbf 

For transition systems labeled over At ^ A U {r), [5] 
introduces Lv end Lbf, two modal logics characterising 
branching bisimulation. 

Lbf is • version <tf HML%f adapted to systems with 
silent moves. Its grammar is 

W 9/.P ::= T I -/ 1 /Ap I ((i))/ | W)f 

where* is any label from A,^A\J {<}. We use {(*]]/ 
and [[*]!/ as standard abbreviations. The semantics the 
new modalities is given by: 

» 1= {(«))/ iff there is a e o* s.t. s' /, 

* ({*))/ iff there is a » ^ s' s.t. s' |= /. 

where ^ i s the reflexive and transitive closure of —The 
clauses for ((*)) are just like for ((*)), only backward. 

Lv baa no backward modalities but it has a so-called 
“until* operator which is more posrerful that the simple 
future-time operator of Lbf- The grammar of Lv is 

Lv^f.a T I I /Ap I mg 

with k € At. The semantics is given by 

s ^ /{«)p iff 3n > 0, s = So Sl —• • • 'Sn-i —» s« 
s.t. s„ j= p and Sj / for i < n, 
s ^ /(<)p iff 3n > 0, s = So Sl • s«_i —» Sn 

s.t. s« ^ p and Sj )= / for i < n. 

For technical reasons, we introduce Lbv [H], * loS>c 
built by combining all modalities of Lv mid of Lbf ■ w> that 
both Lbf mid Lv are fragments of a common superse^: 

LBuBf,9 "= T I -,/ I / Ap I ((*»/ I m)f I mt 

with t € -A,. In Lbv , the ({*)) is not really needed because 

((*))/=,T(t)(T{c)/) (2) 

Considering that = 1 ^ and Simr coincide [5], a natural 
question is whether Lv or Lbf ®mi be translated into the 
otha. At a certain time, the authors of [5] tried to simply 
embed Lv into Lbf (•** Theorem 2.19 in [4]) but later 
found a mistake in their proof. A translation exists but it 
is not trivial: 

Theorem 2 Lv :<§ Lbf- 

Proof We show how to eliminate the until modalities 
from an Lv formula /. 

• CooMder a formula / having the general form: 

/= f V (AHMpo a (3) 

'<* 1 ..» iiJ. iii[ ' 
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for which w« iotioduce the foUowing eimplifying mbbreviv 
tioBa: 






The top modality of / ie an until with a n-ary di^unction 
in the left-hand aide. 

• First, consider the simpler case where n = 1 in /. Then 
if h = a € i4 we have 

/=,{o,] A «a»(»AlPD(a',)) 

while if h = ( we have 

/=, tfrV |(ari]A((r))(^^An<]](tf’V{o',))) j 

• Now in the general n-ary case with n > 1, we show how 
to rewrite (3) into a formula where the until is eliminated 
by introducing new until-formulas having n — 1-ary dis¬ 
junctions in their left-hand sides. 

If h = a g i4 we have 

i^ n I U ««)) (^- A Mtti V (o:») ) j 

where 

( V ^ <**)) 


are the new until-formulas containing only n — 1 members 
in the dugunction. 

Similarly, if h = t, we have 

/=,<(> V \/ Ao,J A ({<)) (fi A PjCd-, V (oj))) ^ 

• Now, with a sound strategy, these two transformations 
can be used to rewrite an arbitrary / from Lu into Lbf- 

1. Observe that / in (3) is a quite general until formula 
except that it has no backward combinator (immedi¬ 
ately) in the left-hand side of the until. Say an FB- 
/erma/s is any Lbv formula where (i) no until is in 
the scope of a backward modality, and (ii) where every 
backward modality is (immedii^y, but disregarding 
boolean combinators) under a forvrard Lbf modality. 

2. Then if / in (3) is an FB-formula, our transformations 
give in all cases a formula equivalent to / which is still 
FB: all the backward combinators we introduce have 
no until in their scope and are immediately under a 
forward Lbf modality. 

3. Now given any formula in Lu, we just have to work 
by picking the innermost untils first and by writing 
their left-hand sides in disjunctive normal form. We 
eventually obtain an Lbf formula. 

□ 


3 FVom Lbf to Lu 

Thnorem 3 Lbf l>v- 

This problem was considered in [11] where a partial solu¬ 
tion is proposed. Our approach was developed indepen¬ 
dently and uses our separation techniques. Write L‘^ for 
the set of separated Lbv formulas, i.e. of formulas wi^ no 
backward modality under the scope of a forward (or until) 
naodality. We show how to rewrite any Lbu formula into 
an equivalent separated formula. The most difficult part 
here is to find a strategy which ensures termination. For 
this we use an approach inspired from [6]. 

Lemma 3 i4ny Lbu formula f with omlf ear tmiformuU 
of ike form {{k))i(>, where ha* no modality, is efsivslcat 
to a sepormted /ormsfo. (Note: f may contain seeeml 
oeewrrenees of 

The basic transformation removes a modality {{k)) from 
the scc^ of an until modality. First of all, ere need not 
consider diqunctions in the right-hand side of an until be¬ 
cause 

<F{k)(i>\ V ih) 2, V (F{k)ih 

Then conjunctions in the right-hand side can be dealt with 
by using 

A fi) Sf a{a)(il> A 0) 

«»<«)(“’«<)>^ A 0) S, ot{a)(-nd> A 0) 

«<«)((W)V> A 0) _ ifo^k, 

s, (a(*)(V’ A a(a)0)) V (((t))V' A a{a)0)f a = 6. 

«(«)(■•{W)V’ A 0) S g o(a)0 if o ^ 6, 

Sg-‘{{€))il>^{aA-^){a)0 if 0 = 6. 

A 0 ) 

S, ({{<))i> A a{()0) V o(<>(V- A a{€)0) 

=» A (o A -'d>){t)(0 A -tfr) 

««(M^A/?) 5,(W>^Ao(t)^ 

A 0) H, A a(e)0 

which are co rrect without any hypothesis on o, 0 and rl>. 

To remove {{k))i> in the left-hand ndes of until-formulas, 
we only consider the general form: 

((((i)),6A«,)v(-M>^Ay,')V^)(*V (4) 
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We UM 

( ({(*)) A V A V /9] {*)q 

S» A(^V/?)(*)a 

V A (-•i' A V ^)) (*)o 

V -'{{f))i> A (-'^t A V /$))(<) (i> A V 0){k)a) 

( (((*) )^A» ) V (->U*)>^ A V ^ j (t)a 

S. (M^ A (V V /J){*)a) V (-MV- A (✓ V «(t)a) 

We h«ve no to^ keie to ehow the nilee for the general 
caaea where ((h))tft occuia in both ai<lea of the until. They 
are often dealt with by a combinatk» at the previoua trana- 
formationa, and in aome caaea by new tranaformationa in 
the same apirit. 

Once thia baaic atep ia eatabliahed we juat have to offer 
a atrategy enauring termination: 

Lominn 4 .day Lbu formml* f with only n aal/ormafaa of 
the form when in haa no modality, ia cfaitialeal 

to a aeparated formiUo. 

Proof Uae Lemma 3 on each {{ki))i>i in turn. P") 

Lominn 5 May Lav formnl* f wilk only n aokformaloo of 
the form {{ki))i> 4 , when i>i ho* only hachward modoliiiei, 
u eyaitialent lo a aepanted formal*. 

Proof Uae L emma 3 to extract the {(hi))d>(. Thia may 
introduce new {{kij))i)ij in the (immediate) acope of aome 
untila, but theae were aubformulaa of the d>i ao that the 
height of the maximal neating of backward modalitiea ia 
decreased. | | 

Lemma 6 Any Lav formula f is eyaiva/eal to a otparuiti 
formula. 

Proof Applying Lemma 5 to aubformulaa {{k))i> dimin¬ 
ishes the multiaet of alternation heights of backward and 
forward modalities. | | 

Proposition 3 (Separation Lemma) 

^BU L*iSu 

is the immediate corollary which combines with 
Proposition 4 Lv. 

(same as Proposition 2) to complete the proof of Theo¬ 
rem 3. 

Conclusion 

lYanslations between modal logics have not been investi¬ 
gated in the literature. Our three theorems clearly show 
that many interesting results can be found when modal log¬ 
ics with backward modalities an considered. We intend to 
pursue this line of research 


• by investigating complexity issues (not dealt with in 
thia introductory paper), 

• by aimpliiying our prords that our nwriting strategies 
terminate, 

• and especially by considering other richer logics; 
HML with recursion, logics for ‘^ruly parallel* mod¬ 
els, ... 

This Isst point seems promising. For example, F. Cherief, 
F. Larottssinie and S. Pinchinat proved that the logic Lp 
irmn [2] can be translated into a variant of HMLt/ with 
(p) modalities for pomseta p. 
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1. Introduction 

The need for formal specification languages in the 
requirements phase of software engineering has 
been recognized by scientists and practitioners a- 
like. The Z language [12], particularly, is widely 
accepted as a medium to express software require¬ 
ments, with its schemas providing modularity to 
build new specifications by composition of elements 
already defined. Z has been tested in a number of 
industrial projects. 

Nevertheless, schemas are a means of functional 
decomposition; the last few years have shown that 
object oriented decomposition is more suitable for 
the development of large software systems. Object 
oriented software tends to be more stable through 
time and enforces extendibility and reusability. A- 
mong other ways to bring object orientation to Z 
[13], MooZ [8, 9] was proposed and experimented. 

MooZ has many new features, but ‘"respects” 
Z semantics - based on set theory and first-order 
predicate calculus - making its application restrict¬ 
ed. since properties like temporal ordering of events 
and concurrency are not easy to describe within 
such formalisms. The problem gets worse if the 
language is used for the logical design of software, 
when we augment the problem universe with ele¬ 
ments of the chosen solution. Temporal and con¬ 
currency properties appear more often in the solu¬ 
tion than in the requirement space. 

On the other hand, if we want formalism to per¬ 
meate software development, we need to extend its 
application from the requirements phase to latter 
steps of the software life cycle. A practical ap¬ 
proach to formal logical design, based upon the 
MooZ (and Z) experience, capable of treating time 
and concurrence, among other properties, is the 
key issue of this work. 

The semantic foundation is given by MAL [5.4], 


a very comprehensive and expressive linguistic 
framework. In particular, MAL’s object struc¬ 
tured version is very adequate for the purpose in 
hand and is described below. 

This article reports on the way to incorporate 
MAL in object oriented Z and shows that the ap¬ 
proach may be a general way to enrich model based 
specification languages with stronger semantics. 

2. Object structured modal action logic 

The application of modal and temporal logics in the 
specification of software systems has been advocat¬ 
ed for more than a decade [1, 2, 11, 10]. The logic 
shown herein, MAL, is adapted from the work of 
Fiadeiro and Maibaum [5, 4]. 

A MAL specification is a set of related object 
descriptions, each one being a pair (tf, ♦) where 0 
is an object signature and ^ is a set of formulas over 
0. H an object description is viewed as a theory, 
the signature and the formulas are the language 
and the axiomatic of the theory, respectively. 

An object signature contains a universal signa¬ 
ture (a usual algebraic signature with a special 
sort for events) and families of attribute and action 
symbols. The rigid and non-rigid symbols are syn¬ 
tactically distinguished, the former coming from 
the universal signature and the latter from the at¬ 
tributes and actions. If 5 is the set of sorts, then 
every function symbol from the universal algebra 
and every attribute is 5" x 5-indexed; every action 
is S*-indexed. 

Terms include variables (introduced via classifi¬ 
cations), function application (either from universe 
functions or attributes) and modal qualification of 
other terms. This last and unusual construction 
was introduced in [6], in order to make formulas 
more intuitive, because very often one needs to ex¬ 
press the changes in individual entities, not in w- 
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hole formulas. Languages like VDM and Z have 
similar features. The translation of our language to 
MAL is easier with modal qualification of terms. 

To express change, there are also action terms 
resulting from the application of action symbols to 
arguments. Formulas are relations between state 
propositions. 

The semantics of an object signature 0 = 
(E,Q,r) is given by an interpretation structure 
{U,J,V,0),when: 

• is a E-algebra such that Eu (the interpre¬ 
tation of E, the sort of events, in U ) is not 
empty. 

• J maps; 

- / € 0(.,.in 

- r^,,..„) in 

J{9) -siu X ... X X £i/' -» p(£i/) 

• V and O are relations over Eu Eu'. 

The relations V and O state in which event an 
action is permitted or obligatory. Sequences of ac¬ 
tions make trajectories, which can be safe and/or 
live, following a deontic style of specification that 
does not prescribe behavior. Separating norma¬ 
tiveness from inconsistency is richer than the pure 
temporal logic approach, since it allows the speci¬ 
fication of error recovery, punishment, etc. Imple¬ 
mentations are either normative or else treat non- 
normative traces explicitly. 

We may define special interpretation structures 
that guarantee locality. Events that respect local¬ 
ity are called local events. We call 9-locus an in¬ 
terpretation structure where every non-local event 
in every trace (finite sequence of events) does not 
affect any attribute. Locality plays a very impor¬ 
tant role, assuring that encapsulation of informa¬ 
tion will be part of the theory presentation. The 
semantics of modal qualification of terms and state 
propositions are given over traces, constituting a 
Kripke semantics, where traces are the "possible 
worlds”. 

Satisfaction of propositions is defined in terms 
of an interpretation structure, an assignment and 
a trace. The truth-value of formulas is defined by a 


Class {Class.Same) 
givensets {type.names.hsi) 

superclasses {class.referencesJtst} 

{auxiliary.definitions) 

private {definition.names.lisi) 

Of 

public {definition.names.lisi) 
constants 

{aziomatic.descnptionsJist) 

{auxiliary .definitions) 

state 

{anonymous.schema) or {constraint) 

initialstatcs 

{schema) 

{auxiliary.definitions) 

operations 

{definitions) 

EndClass {Class.Same). 


Figure 1: General structure of a class. 

relation by which reasoning about information 
in a state is possible. There is another consequence 
relation (=> 9 ) intended to reason about the conse¬ 
quences of a specification: an assertion {F J) 
is valid iff every ^-object that makes every formula 
of F true also makes / true. 

Object descriptions are related to each other by 
morphisms that map pairs of signatures and axiom- 
s. Particularly, morphisms mus* preserve locality, 
to allow for compositional development. 

3. The new language: MaMooZ 

Modular object oriented Z (MooZ) [9] enr 
Z with object-oriented concepts (classes and ii 
itance) keeping the syntax as near as possible lu 
that of Z. Like Z, MooZ semantics is based on set 
theory' and classical first-order logic. The language 
does not allow for definitions outside classes, so 
that any relation between classes must be either 
ciientship or inheritance. The general format of a 
MooZ class is shown in fig. 1 . 

MaMooZ[7] is a modal logic enrichment of MooZ. 
where the syntax is close to the latter’s but the se- 









mantics is given in terms of MAL. The translation 
method is given in [7, Ch.5]. 

A method may be defined by a schema or by a se¬ 
mantic operation (an axiomatic description which 
involves state componentsy. The definition of a 
method in a MaMooZ class means an action that 
can be performed by an object in an event. The 
events occur constantly and eternally; there is a 
global event sequence, called trace, unique for all 
the system. Operationally, we can think of events 
as clock ticks heard by all objects. In some tick- 
s some objects do something, like communicating 
with other objects or altering their private memory. 
These actions are specified by the methods. 

The methods of an object occur in some subset 
of the event set. This subset may contain events 
dispersed throughout the trace. Two methods oc¬ 
curring in the same event are simultaneous; if they 
come from distinct objects there is a synchronisa¬ 
tion between the objects, maybe with information 
exchange. 

Objects can be modified iff one of their methods 
occur in a given event, otherwise, the event is silent 
in relation to that object and not observed by it. 

In MooZ, a method takes in account the objec¬ 
t's current state (say s) and the next (s'). This is 
still valid in MaMooZ: the translation of a decorat¬ 
ed component is the component modally qualified 
by the event in which the method occurs, mean¬ 
ing the value of the component after the method's 
occurrence. 

For example, consider the following method def¬ 
inition, specifying a semantic operation that in¬ 
creases the value of a state component. Suppose 
that a is a component (attribute, in MAL termi¬ 
nology’) of the class (object description, in MAL). 

_ Increases _ 

o.o' : N 

o' > a 

The MAL translation of this operation is: 

~^Increase8(x) A ([z]a) > a 

where E stands for the sort of events. This propo¬ 
sition could be read as: 

H'hcn Increases occurs in an event x, 
the value of a after the event is greater 
than the value of a before the event. 


The two deontic predicates Per and Obi are 

present in MaMuoZ. Pef(ai.a«) means that 

some of the methods ui.n, may happen in the 

next event observed by the object, i.e.. that the 
methods in the list have permission to occur. 

The p'edicate Obl(ai.o«) establishes that in 

future events the methods di.o, will occur. 

There is no restriction about how many events will 
fill the trace between the setting of an obligation 
and its satisfaction. The semantics of an obliga¬ 
tion is analogous to that of the operator O (or F) 
in temporal logic: the o' ligation will be eventually 
discharged by the occurrence of the method. 

Both for Per and Obi there is no relation between 
the several methods listed as arguments: they are 
grouped only for brevity and the order is unim¬ 
portant. So Per(ai.a,) is an abbreviation for 

Pef(ai) A ... A Per(o» ). 

Besides Per and Obi. some few words are intro¬ 
duced in the language to name special sorts. The 
methods in a class, whether defined or inherited, 
have sort Method. This sort has ‘'local” meaning, 
its elements being distinct in each context. At¬ 
tribute is the sort of a class’ state components and 
Event is the (global) sort of events. 

A construct like object Method could be used to 
obtain a set with the names of the methods of a 
class. The same holds for attributes. .All these 
constructs are well founded in MAL and, as far as 
possible, compatible with Z (and MooZ) style. 

MaMooZ specifications are organized in docu¬ 
ments and chapters (coarse grain modules) and 
classes (fine grain). Operations in the classes may 
be defined by schemas and axiomatic description- 
s. The predicates defining an operation may use 
deontic predicates (permission and obligation) in 
order to deal with time and concurrence, but there 
is no explicit modal qualification of terms, since 
this is the resource used in the semantics to map 
components of the operations representing "next 
state values”. 

In the full article, we describe the operation of a 
phone box to show how the , esources brought from 
MAL increase the expressive power of the basic 
specification language. 










4. Conclusion 

Other approaches to incorporate modal logics in 
Z are restricted to temporal logics [3]. Richer lan¬ 
guages, like MAL, may be used too, without many 
changes to the syntax, with the semantics given by 
translational approach, instead of ZF theory. 

There are many open problems to deal with; the 
calculus [5] proposed for MAL should be “upgrad¬ 
ed” to MaMooZ, to cater for a more abstract syn¬ 
tactical and semantical discourse. 

The adoption of explicit temporal operators 
should be studied, but care must be taken to avoid 
conflicts between the deontic and temporal facets. 
In special, modal qualification of temporal oper¬ 
ators is impossible and should be refrained from. 
Surely, the two tasks are connected: if temporal 
operators are used, so the calculus must be refined 
to deal with them. 
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Abatract 


We veiy bhely picMat a rigotou aad modaUr metkod, 
we ue deeelopug to deiiga teactive ayatema atartiag fiom 
theii deaired piopertiea. TUt metkod ia b a a e d oa a mach- 
aaiaation of Maaaa-Paneii’a modalat validity coaoept aad 
OB a modalai tempoial laagaage ia whick propertiea ate ia- 
variaat nadet tMlennp [1]. A compoaitioaal pto^ ayatem 
ia catabliabed to aappott botk apedkcatioa vetikcatioa aad 
modolar ptogtam coaatractioa. Eadi progtam ia developed 
togetket witk tke pioof tkat it meeta ita apedScatioa. A 
teimemeBt telatioa ia dekaed by aaiag ralea ia backward, 
wkile tke proof ia coaatmeted by aaiag tke aaaie ralea ia 
forward. Coaatraiaed by a biaited apace, aw hope to tocaa 
atteatioa oa tke aadetlyiag coacepta aad leave a complete 
preaeatatioa of tke pro^ ayatem (aoaadaem, relative eom- 
pleteaem, modalar completeaeaa, aad adaptatioa complete* 
aeaa) ia a fatare paper. We give aome re^ta ia thia akort 
paper omitiag proob, a fall veraioa will iaclade the moat 
reaalta aritk ptoofa. 


1 kitraditctiaN 

Tke temporal logic aa pieaeated ia [12,13] providea a powm- 
fal tool for flokniapedlicatioa aad non-ootaporilionalveiik- 
catioB of esiftifipoMcarreat ptograma. However, tkia logic 
oifeta a very poor aapport for rpr (ematic diaiga of ooacar* 
rent programs becaase of lack of modalarity. Mme reoeatly 
aew coacepta have beea iatrodaoed ia order to make tke 
laagaage of temporal logic niore modalaraad tke temporal 
proof ajratem more eompotihonal [2, 4, 9]. Ia tke pieaeat 
work we exptore these aew coacepta aad we preaut a aioda* 
larspedlicatioa method togetker witk a coaipee tfi o a e l teaH 
poral proof ayatem. We tkam kow oar logic (tfeta a tigotoas 
aapport for tke systematic dea^ of OMcarreat ptograaw. 

Oar logic aiam to provide a aaixed venScatioa aad devel- 
opmeat strategy (top down aad bottom ap) of ooacarreat 
progranw. Proof rales skoaM (1) preserve eome desired 
properties (salety aad certaia Kv ea eaa propertiea), (2) be 
compoaitiMal, aad (3) be poaaibhr mediaafoable. 1^ irat 
leatare aims to gaaraatee tkat wkeaever tke starting ab¬ 
stract specificatioa expects tke system to operate aMoed- 
iag to sonw safety pn^aties (partial co rr ect a em, deadlock 
freedom, mataal exdaaioa, ...) tkea so bdaves tke 
rived impkmeatation. We Acm tkat Kveaem propertias 
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are ia general more dilKcalt to preserve wkeaever we want 
to deiae tke proof rales acoordfog to a compoaitioa pria- 
dple. Bat aad a principle is of a great importance when 
we want to adopt botk tke modaior tterifieation aad etop- 
wtee fcjUnemenl coacepta ia tke coacarreacy setting. Given 
tke correctaeaa ptodi ct aome small modalea, composition 
prinetplee allow tke verifier to establisk tke correctaeaa of 
bigger amdulea. Conversely, gives the apedficatioa of a 
big modale to be implemeatri, composition principles al¬ 
low the dcaigaer to r^ace the implemeatatioa problem to 
tke aabproblems of implemeatiag smaller modaks. 

IVaditioBally, compoaitioa priadples for botk spedfica- 
tioa, verification aad refiaemeat of coacarreat systems are 
coaddered hard to obtain. Hoawver, previoaa work [4,5,17] 
have ahowa that this diliicalty maialy lies ia the formala- 
t foa a oompodtioaal rale for paraDd compodtioa. Now, 
ia oar i^iafoa, if oae wants to formalate a compodtioaal 
rale for paraUd ewa p odti o B, then tke first step is to be 
carefal at tke stage of tke definition of tke apedficatioa 
laagaage aemaatios. Espedafly, we believe that inoarianee 
under stuttering of properties* ia oae of tke key reqaire- 
meato aeeded for paraM compodtioa to be coajaactioa 
aad to be able to impfemeat a coaraer-graiaed program by 
a fiaer-graiaed one ia tke setting of tke tempord logic [2]. 


2 Tbs logic 

Tke fall parpose of tkia work is to provide a complete 
metkodoli^ for tke eomposirtoma/apedficatioB, verifica- 
tioB aad devek^meat of reactive programs. For we first ia- 
trodace a programming aotatioa (IPL) for coacarreat mod- 
ales of a reactive system aad define a compatatioad modd 
to r ep r eaeat semaatica of modalea. Tke obtained aemaatks 
d oompodtioad ia tke aeaae tkat the semaatka of a com- 
podte reactive systeau is competed from a formd rdatioa 
b etw e en semaatica of ita sab-modales. We then define the 
tempord logic IfTL aad derive from it a spedficatfoa laa¬ 
gaage by eatablishiBg a closed ooaaectioB between oompe- 
of IPL program aad aiodda of MTL formalas. Oar 
logic is stote-imad orieBted. A system may be specified 
at maay levd of abstractioa; higkeatdevd properties are 
diarribcd is terau of atatteifog iavaiiaat tempord forma- 
lae, while impfeawatatwaa are prograau ia an iatermediate 
programmiag laagaage tkat we call IPL. A kigkeat-levd 
apedficatioa mast talk aboat oafy the aspected bekavioar 
of the system, while avoidiag refareacca to effideacy or ar- 
ckiteetard detaib of its implemeatatioa. Sack detaib caa 
be iafrodaoed only ia tke last stage of tke design process 
when a paraUd algorithmic aolatm ia already bailt. 


* A prepsrty F is said to be tanahaat under stuttwing if whwMvtr 
aaeodei # estisllee P then every awdel r, stattering eqnivalent (this 
win be deaned below) to • eatMles P. 
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2.1 A ^o g r u Mwiiig woto ti ow for rMctiwa (yttaiw 

Reactive ayateaea ate coded uiaa tke laagaafe IPL. Thia 
laMeage ia a aligkt modificatioa m tke taagaage iatiodaccd 
ia [14]. Tke modiicatioaa oe kave iatiodaced aim to teack 
a compoaitioaal aemaatka for prt^aau writtea ia IPL. For 
iaataace, aaaal Uwa, commatativity aad aaaociativity, of 
coBcateaatioB aad ^allel coaatracta am omaerved. ^e 
ceatial aotioa of IPL ia tke oae of modaie atatemeat. Hck 
ia an exce^ of tke ^tax. A modaie atatemeat kaa tlm 
fotm M :: ^nodule; imterfte; tody] wken, 

«n<cr/aee ;:s {mode* del}* 

modea ::s {lalotttl conaninl external)'*’ 

body :;s (local dd;] atalemcnt 

dd ::s {vartaWe | e^niid}'^ ; type [where : init] 

•tatement ::s action | otatement; atatoment | 

IF ||L|rvard -> atatemont FI | 

DO 11^, yiiard atatemant OD | 

(iaM ?]aialcinent[: laid] 
action ::s skip | aaaifnment | tend | receive 
yvard ;;s ecpreaaion | receive 
tend ::x cianndlexpreaaion 
receive ::a ckanneTTvariailc 

A Kactive ayatem Net kaa tke foUoariiig ayatax: 

Net ::vc M | NetlfNet | ae. Net | Alet[d/e] 

Concaneat modaka commaaicate by aayackioaoaa mea- 
aage paaaiag via aaboaaded ckaaaeb. Eack modaie 
akoaU commaaicate witk tke eaviroameat (otkei modaka) 
tkioagk ita iateriace accordiag to tke modea aaeigaed to 
ckaaada. Local variabka an aot viaibk oataide, tkaa all 
variabka of a modak am implicitly kiddea. Tktoagkoat 
tke temaiadcr of tkia paper we amame tke ayatactic le- 
atiictioB tkat variabka ia different modaka are dktiact, 
wkik we give more atteatioa to ekaaaek. Hiding of cbaa- 
neb maat be done explicitly aaiag tke binder p. We deffae 
tke viewed ckaaaeb of a modak M (by the eaviroameat) 
to be ckaaaeb tkat are aot hidden. Afet(d/e] repreaeata 
channel renaming of e into d. Let e be a ckaand declared 
in Af, a atatemeat of M may have reading (reap, writing) 
reference to c only if c b declared witk tke mode In (reap, 
out). A atatemeat ia a modak parallel to if may have a 
reai^g (reap, arritiag) reference to c only if c b viewed and 
declar^ (in if) with tke mode conouin (reap, oxter 1). 

Definition 2.1 (interfhee compatibility) Let Mi and 
Mt be two modmkt, we tap that Mi and Mt are interface 
eompatibU (we denote bp Mi eompat-with Mt) if tke deeio* 
ration for any channel e that it declared at viewed in both 
Ml and Mt tatitfp the following regeirementf: tke typea of 
c in both declarationt match, the conjunction of the where 
clautet (tuppoted true when it not tpecified) it contittent, 
and if one of the declarationt tpecifiet an out (rept. in) 
mode, tke oAer tpecifiet an external ^reap. eontum) mode. 

Semantica. Tke baaic compatatimal model we aae 
to aaoiga aemaatka to reactive ^ograma b that of fur 
traaaitioB ayatem (FTS for akort). We aaanriate witk 
each IPL modnk if a fab traaaitioB ayatem 5 m w 
(IIm.I^m.^iDm, Jm.Fm) which coauata of tke faOow- 
iag compoaeata : 

Dm (State varlableaj: (m {xmIuCmUFm) 'm b aooa- 
trol variabk, it raagea over Ltt where Lie deaotce the aet 
of loca t ioaa ia if. Cm denotea the aet of ckaaada declared 
in tke interface of M. Yie deaotea local (data) variabka ia 
if. 

Em [Statea]: AH tke poombk iaterpretationa of va riab ka 


ia Dm conabteat witk theb typea. 

Tie tX^analtlonaj: tkeae coaobt of 
(1) ^ traaritioaa rg aaao cia ted with atatemeata 5 ia tke 
body of if, (2) tke idling traaoition r/ repreaented by tke 
traautioa relation pr, : true; it repreaeata tke ituttering 
atepa ia Abadi-Lamp<^’a termiaolo^ [I] wkkk chuacter- 
iae iatetaal traaaitioBa execated by tke eaviroameat, (3) 
tke environment reeeiviny traaaitioa r*^, i.e. tke traaai¬ 
tioBa apedfied by tke isrmnla (|i| > 0) A (i‘ s tl(i)) for 
aay coruam ckaaael b € Cm (4) the environment tending 
traaaitioB r**, i.e. the traaoitioBa apedfied by tke formnk 
3e. (c's e a a) for aay external ckaaad c € Cm. 
and r** repreoent the ohaervabk traaaitioaB execated by 
tke mviroameat. We denote, for a modak if, tke eaviron- 
meat traaaitioaa by 7 m uid by 7 m all tke other oaca. 

Dm (Initial condition]: coaabta of 6 m = (x ec b) A 
where p repreaeata tke wkere parta of tke declaratioaa of 
out ckaaad aad local variabka (b b the initial location 
of the modak if). The initial valae of external ckaaaeb 
b coatroled by tke eaviroameat. 

Fdmeae: Jie coataina jaat traaoitiona, i.e. traaoitiona 
which cannot be coatiaaally enabled bat tacken only finitely 
many timea. Tkb coaabta of all tke (internal) traaoitiona 
aaoodated witk local atatemeata of if. Tie coataina fab 
traaai t ioa a i.e. traaaitioaa which cannot be infinitely often 
enabled bat taken only finitely many timea. Tkb coaabta 
of all tke (obaervabk) traaaitioaa ataodated witk comma- 
aicatioa atatemeata of if. Environment traaoitiona aach aa 
rt,r*", aad tie coataiaed ia adtker ,7m nor Tu- 

Beliavioura: A bekavioar of a modak if b a aet of com- 
pntation atrnctarea wkidi repreaeat ita poooibk exeentioaa. 
A (ponrifak) compatatioa of M it an iaMaite eeqaeace of 
atatea a : ae.ai,... aadi tkat (1) ao aatbfiea tke initial con- 
ditxm 6 mi (2) for eack i > 0 ,r(ai,ai 4 .i) for aome r € Tie, 
(3) a aatbfiea juitice aad foimett reqnirementa impoeed by 
thcaeta^M and Fm- Two compatationa e, r are a^ to b« 
atntteriag eqaivakat (ia notation a s: r) if they are eqaal 
aaodalo etatteriag atepa. We recall that ia anck a aeman- 
tb modd, finite compatatioaa are repreaented by infinite 
aeqaeacca by adding aa infinite aomba of atatteriag atepa 
(r/) which takea the hdtiag atate into itodf. 

The aemaatka of a reactive ayatem iVi||... ||Aln b a fair 
traaaitioB ayatem reanhiag bom a fair compodtion of traa- 
oitioa ayatew aaannated witk modaka’ Ni, in notation, 
5 ni|...|jv. *= 5w, 6...®5jr.. Exeentioaa in 5j(f,|,,.|j», are 
re pr eaented aa interleaving oomcmitent actioaa ia the differ¬ 
ent modaka aader fatmett coaotraiata. 

Definition 2.2 Let Mi and Mi be two channel-hiding free 
modul e! (i.e., modulet in which the binder y doet not oc¬ 
cur). We define intjnodei(c) (retp. auxjnodei(c)) to be 
thetetof model in freip. in f ceaaam. exleraall ) 

ateignedtothe ehannelc in the module Mi, andmadei(c) = 
int.niadei(c) U anxjnadei(c). We denote bp iSffjnede^e), 
for a akarad channel c, the let of model m luch that 
m € (aaxjnedci(c) U ancjnedej(e)) \ (aax.modei(c) n 
aax.ni>adea(c)). 

Definition 2.2 

Let Siii » (llMi.SMi.7Mi.6M,, jMi.FMi), • € {1,2) ke 
the FTS aiiociated with modulei Mi and Mi. The FTS 
atiociated with the compoted module Mi ^Mi w defined at 

’Altbough compoaeata N, bk actitnry reactive ayilcna vr call 
them amdelm; eernamicaUy we roa eiJ ir a reactive eratem at a aew 
c o mp oee d module. 
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foUom$: 

«tic* Aat 

J. Dm ■■ IImi U Dmj where, (i) for eeery non-ehared 
eiuMnele (i.e. e i$ ieeUrediu M, enli/fori € {1,2}^, 
m medej(e), and fiij for every ehared channel 
e (i.e. c € Dm, nOje, intjnede{e) m •N(.jiiMlei(e)u 
raijMWe 3 (e) and ausjnode(e) m ••xuii«^i(e) n 
•«sjn«iea(c). 

*• Em » {* : Dm -• Du/e\a^ € Em,««^ e|nM, € 
Em.} 

Tm « (TM,uTM,)\({re*/e € Dm. nDM.Aextervei € 
nrjnade(e)} U {rg^/e € Dm, n Dm, a eanemm € 
ISTjnade(e)}) 

4- Om ^ 9Mi a Om. ^eofuieteney ie ytteranleerf by Ike 
interface eompatihilitp reguirementj 

5. Jn m Jtti U Jm, and Tu *= ^m, U 


We complete tlie deimtioa gives eboee by tbe foUowiag 
iewe to deel with hidug utd tesamiag of cbesaeb. 
i/,||ve.i/3 if e f ehan(A/i) 

te vd.(J/,||i/atd/c]) d e € chaniidi), wkere d ie 
e dieuel vsrisble. 

Now let J/ u eibittaty modale wboee tbe lieocietcd FTS 
ie (DmiEm.Tm.Bmi Jmi'^m). 

(1) S»c. M * (DM.EM.^M.djif, Jmi^m) with 0i< » 

®m\ 

(3) ^Mfe/d * ^M(d/c] (fcsamisg ie esteaded to taplee ia 
tbe aeael way). 

Dofloititm 2.4 (compatible computatlona) Let a, r he 
two eompmtatumeaf Seti andSut rMpeetioeiy (if. and Me 
are expected l« be executed in paralM, eo thep are interface 
compatible), we eey Ibet a and r are co m pat ib le (a M r) 
iff off traneitione in a and r inoohing ebened ebenneb ore 
observable by each other fa formal definition ie given in tbe 
/u/l paper;. 

Propooitlon 2.1 Tbe relation compatjwith eatiefiee the 
following properties: 

(i) Let Ml and Me be two modules, if Mi compaCwith Me 
then Me compaLwith Mi, 

(H) Let Ml and Me be two compatible modvlee. M com- 
paLwith [Afi||JI/a] iff M compaljeith Mi and M com- 
patjeith Me 

Propfiaitkm 2.2 Let M w [Afi||ifi] andSie the FTS as¬ 
sociated with M according to the relation Sss * 5mi 95m. . 
the two following propositions are equivalent: 

(I) there eziete a computation of Sst such that o|ii, s 
oi and o|o. s; oe 

(2) oi and oe are two compatible computatione o/5m, and 
Ssst respeetivdy. 


Aaotba impoitaat CMaeqaeace of tbe deiaitioa 2.3 ia the 
leadiag of tbe aeael laws ot pataUd ooastnctioa. 

Pr o pooltl o ei 2.2 Let Mi,Me, Ms be tbree inte«;^sce com¬ 
patible modules, 

(Jd,BJd,)|M, m MiUM eHMs) 

*Two pregranw Ni aad He art ttmentieellir eqviteltat if tbtir 
eeieriettd FTSs Su, and 5w. art aqvhaltnt; what wa ariiu AT. ■ 
Ne 


2.2 A etattoring invariant tamparal ian g ua g e 

We ate coaviaced that we most be catefal at tbe dceiga 
dcciaioa atage wbea we waat to deiae a temporal iogic for 
reactive programs which sboald be compoaitioaal. Liaear 
disctetc temporal logic has beea petce i vrf to be aa appro¬ 
priate tool tot both deacription <d semaatics of coacarteat 
(and seqaeatial) programs aad reaaoaiag aboat them. This 
idiea on the fact that coacarteat program bebavioar can 
be eaaely atodelled by all possibl e iatmleaviags of tbe dis¬ 
crete, baeaz, ezecattMi seqaeacas ariaiag from tbe separate 
‘seqaeatial’ processes of the coacarteat prograau (iatcrleav- 
iag s e maa t i c s). la [3] Baniager et of. proposed a compo- 
■tioaal tmaporal lo^ for tbe spedbcatioa aad verifcatioa 
of coacarteat systems. They ase a floating vetakw of tbe 
Uaear temporal logic with Um fxpoiat operators aad still 
reprcseat actioos by tbe rissstcal Next operator O- How¬ 
ever, each a logic has beea stroagly critidied from differ- 
eat poiats of view. Oar stady of a tefiaed temporal logic, 
aamdy bITL, starts from a list of valid made by tbe 

pioaeem ot tbe temporal logic: 

- la f7] Lamport objects tbe ase ot tbe Next operator to 
be tbe origia of some troable ia abstractioa, which farces 
too ma^ irrelevaat detail to be preaeat ia tbe semaatic dc- 
scriptioa. It appears that tbe losmst level of atomicity is 
fot^ to be visible, which a properly abstract semaatics 
sboald aot make. He provided a stroag evideace that all 
tbe properties oae wishes to eipress for asyacbroaoes sys¬ 
tems do aot reqaire this operator. 

. StiU for abstractioa, qaaatiicatioa over state variables 
taraed oat to be very asefal [11], aad has beea sbowa to 
be accessary for attaiaiag compoaitioaal completeaem. 

• Ifaaaa aad Paadi [10] argaed tbe addition of tbe post 
fragment to tbe futsae tempord logic to coatribate to tbe 
atility of tbe tempord langaage; wh^ it is aot more expres¬ 
sive the fall laagaage is foaad to be mote coaveaieat. la 
[11] they gave some poiats of dissatisfaction of tbe fall bigic 
presented ia [10] dae to tbe floating iaterpretation whi^ 
does aot assiga aay ^ecid significance to tbe iaitid state 
so that satisfiability aad validity are evalaated at all po- 
sitioBS ia tbe compatations. This iaterpcetatioa needs tbe 
geamalisalioB rale ia tbe proof yystem which violates tbe 
dedoclton rale (a po w erf d tool ia tbe predicate calcdas) 
aad, ia tbe other band, teqaires tbe sqj^clasare property 
for tbe set of compatations when oae needs to iaterprete 
fwmalas over compatatioas of a g i ven program, la fact, 
they prese nt ed aa oncbored tempord logic ia [11] ia which 
they consider that a foemala p is defined to be solid (re^. 
satisfioble) over a set of seqaeaces C, if it bolds at positioa 
0 of every (reap, soom) seqaeace of C. 

Oar present coatribation is concerned with tbe iavestiga- 
tioa of sack remarks aad tbe propositioa of a refiaed ^ilaf«- 
tempord logic IITL ia which (1) we consider the oneborsd 
iaterpictataoa, (3) qaaatificatioa over state variables, aad 

(3) actioas arc fsimalated ia terms of a new Next opera¬ 
tor t^ck is iaseaaitive to finite stattcriag aad scasHivity 
to iafiaite statteriag. Tbe resahiag logic has tbe same ex- 
preaaibdity pow er thaa the fall tempord logic [14], does aot 
requte ei^x dosarc of program compatatioas, aad gear- 
aatem invsnance a n de r sMtering of propertim. It tkas 
provides a good abstractioa tot compositioad qmcificatiaa 
aad verifiratioa of concatreat systems aad also offers agood 
sa^ort for systeasatic dasigB of concarrent pcogtaow. 

‘Ike aew aad ceatrd concept ia the defiaitioa of IfTL coa- 
siats ia iatrodadag a new kind of Next operator, denoted 








0^ (sad iU d«*l, dcaotad 0.)- Aa iapotUat feataie 
of ia baiag nueiwilive to Ut« «»«tattctiaf aad fcn* 
nitvt to iaiaitc lo-atattchag (witk itspoct to a gi««a act 
ot aa ri i h laa w), wkile ita daal, 0^, ia maaiMtliae to botk 
iaite aad iaiaitc ta-atatteiiag. We tkea deiae tke otket 
temporal operatoia (imlil, anfeej, etc.) ia terma of 0^ ia 
order to obtaia a temporal logic tkat will eaable aemaatic 
deacriptioaa wkick are inearMiit aader iaite w-atatteiiag. 
Tkia ia oae of tke major reaalta to caaate a deawed level of 
abatractioa aeceaaary for aM>dalar apeciicatioa aad compo- 
aitioaal vcriicatioa of coacarreat ayatema. 


2.3 Prop a r t lo i of IPL p rag ra w m 

la order to relate a apeciicatioa prea ea te d by a formaU ia 
the logic to the program it ia aappoaed to apecify, it ia aecea¬ 
aary tkat tke compatatioaa of a program caa aeree aa mod- 
elf (ia tke logical aeaae) for tke tormala, wkick meaaa tkat 
we caa evalaate the formala oa ead of tkeae compatatioaa 
aad iad wketker it koMa oa theCMipetatioa. Tka.weaay 
tkat tke program aatiaiea (or implemeata) tke apeciicatioa 
givea by the formala p if p kolda over each of tke compa- 
tatioB M ita bekavioar. For we aagmeat tke kITL logic ^ 
aome program apedic predicatca aad faactioaa, refeniag 
to tke additioaal IPL coaatracta aeeded to felly deacri^ 
a atate ia the compatatioa of a reactive program, for ia- 
ataace, the eonirel-piedicatca like at(M), •fUr(M), aad tke 

mode-predkatea like oat(e),e-oal(c),iB(e). 

Oae of tke moat important claaaiicatioaa of propertiea 
of reactive ayatema, ia tkeir partition into aafety aad Kve- 
neaa propertiea [8], Tke advantage of tkia partition ia to 
provide a way to tecogaiae aenne iacompleteacaa aapecta of 
apeciicationa. For example, it ia now weD known tkat no 
apedication of a ayatem can be complete witkoat coataia- 
ing aome ae/ety propertiea aad aome iieeneaf propertiea. Ia 
moat caaea aU tke a^ety propertiea can be trivially aatiaied 
by a program that doca aotkiag. We mqr view one ol the 
rolea of liveaeaa propertiea aa eaaaciag that aafety propertiea 
are not implemeatH by a “do-notkiag’* program. They are 
hence iatented to diacard trivial aolatioa daring tke deaiga 
proceaa. A property of an IPL program ia of tke form; 

P —« =er 

P »"!**« • t=* P^~^ “*• F V f 
atable«(p) p anleff « fobe 
tiioarMa<«(p) pAatable«(p) 

p -w. f 0,(p ^ 0«f) 


2.4 M odu l ar i p a cHIc atl o w 

Large ayatema are bailt ap of aeveral compoaeata (modalea) 
aad a aeparate apedficatioa ia given for each component 
apcdfyiag ita dedred behavioar ia the whole ayatem. For 
apedfyiag cmcaneat modalea we explore Lamport’a mod- 
alar apedficatioa method [6, 8] aad ai mil a r aotioaa iatro- 
daced ia [14]. We akoald be able to aeparatdy apedfy coa¬ 
carreat program aMdnlen ia a coavenioit way aa ia work of 
Lamport [6, 8]. We emphaaise, ia particalar, tke relevaace 
to oompkmient a apedficatioa modale by tke apedficatioa 
of tke ifiter/Bce—tke meckaaiem by wki^ tke aiodale ooat- 
mnakatea witk ita eaviroameat. Tke interface apedficatioa 
of a aaodnle atipalatea tke conatraiaa tke eaviroameat maat 
aatiafy tor a correct commaaicatioa witk tkia modale. Thaa 
a apedficatioa modale coaairta of two parta: The firat part, 
aamdy wilet/ace, apedfiea coaatraiata oa tke interaction of 
tke ayatem wHk Ha eaviroameat. Tke aecoad part, namely 
body, apedfiea the compatation expected bom tke ayatem. 


It apedfiea tke initial atate of the ayatem, ita aafety ptoper- 
tiaa aad ita bveneaa propertiea. The information tkat akoald 
contain the interface w eapedally aaaealial for tke compfete- 
aam ^ the ap ed fi c a t ioa a iodale. For tkia pnrpoae, Lamport 
argaed ia [8] that tke interface maat be apecHfed at tke im- 
plcmeatation level. Indeed a complete apedficatioa akoald 
ebmiaate tke need for any commaaicatioa between tke aaet 
of tke amdale aad ita impleBMator. Thereby the inlerfece 
part will be a law-levd apedficatioa (IPL), wkile tke body 
a higheat-levcl qweifiratioa (temporal laagaage). 

Drdlaltion 2.S (Module apecUlcation) A modale epee- 
i/iealioii is an objael of tke form [iBter; ear; p] wbcR inter 
ioeimnt ekarti vaftablee (ekomneU) and «ar dedaree local 
aanabfce. ^ i$ a MTL formata mkick epoeifiet Ike ejected 
hekaoiour of tke modale within the whole eyrtem. The prop¬ 
erty p hae to be eatie/ied independently of tke context in 
which the module operatee. 

Oaflultion 2.4 (Modular validity [14]) A formula p U 
defined to be medalarly valid for a modale Mi (in nota¬ 
tion, Ml ^ p) if p it valid over Ike program Mi\\Mi for 
any modale Me, mterfaee compatible with Mi (in notation, 

Mi\\MiY‘*) 

Lamma 2.1 ff Mi pi and Mt eompatjeHk Mi then 
[Jd,||Jd,]^Pi. 

Ovarview. Tke proof ayatem providea a collection of com- 
poaitioa proof nilen which, on the one hand, given the 
oorrectaeaa proofe of aome email atodnlea, allow the veri¬ 
fier to eatabliak tke correctneaa of bigger modalea. Con- 
veraely, given tke apedficatioa of a big module to be im- 
plemcated, allow tke deaigaer to decompoae (or refine) tke 
big apedficatioa into leaa abatact (or mote thong ia tke 
lo^cal aeaae) oaca wkoae implemeatatioaa coaid Im fbaad 
mote eaay. More predaely, from a deaiga point of view, 
atartiag from tke apecification of tke reactive ayatem, tke 
method win aaaiat the deaigaer to refine it into more ele- 
meatary (bat modalar) oaca. Tkia ariaea to apedficationa 
aack tkat when we pat tkeir implemeatatioaa together (ia 
paralld) we wiU obtain a parallel implemeatatioa for tke 
firat apedficatioa. Refinement ia carrM oat together with 
a proof methodology. Once a refinement atep ia done, one 
can make aare tkat it preaervea tke aet of lolntioaa of the 
firat apccificatioB. There are two kiada of proob we have to 
make dariag a refinement: a coaaiateacy proof which ckedia 
whether a apecification b mathematicidly coaaiateat, aad a 
refinement proof which verifiea a refinement to be conab- 
teat with the apecification from which it b refined. The d- 
emeatary apedficationa can be refined again according the 
aame ^indple. Thb refinement proceaa proceeda until im- 
plementatioaa (modalea ia the IPL) akoald be obvioady 
derived. Now program texta are difficah to derive directly 
from weak eveataality ao tkat no program can be extracted 
wkile tke apecification coataiaa weak eveataality. We firat 
traaaform weak eveataality to atroag eventuality pteaerving 
iavmriaata. Axioma ia tke proof ayatem r e preeent tke baaic 
lawa of tke refinement whi^ (in oar atady) allow to derive 
atomic actioaa ia a modale from ita local atroag eventual¬ 
ity propertiea. Tke ralea for compoaition aad refinement 
of complex apedficationa are formated aa aoand inference 
raka. 


3 A awiaM axawpl a 

We lo«A for a program ?JI (maybe a parallel oae) tkat 
implaneata tke apedficatioa module [/ater;lec;3«Z. I A 
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S aL] wkm, w ■> {c,«, •}, ud 

IntT ■ A e € W* ( iiiffaw Mate hmrtioaa) 

<ac ■ « € M A V € W (local Mate ftmrtiiwia) 

I S a((M) A«sOAvKOAes< (iailial coaditiaa) 

5 S a s 0 jigigu, «« * 1 A v s 0 aiiiaja •« m lA 

esc jigyidt «e s 1 • ( A a/ttr(M) (laiMjr) 

L s al(M) a/(«T(Jlf) (lioii) 

So Um atartiac foal it ?Jtf ^ [/alar;lac,i*7. / AS Al]. 

If we tkc compoaiUoa rak wc meat tad aab>focaiBbc 
whick tilMty tke ptocf obligatioaa aaaociated witk tUa rak. 


Let war I AS A L aad ^0 It A Si A Li, 

! Proof abUcatkae: 

A M ■» W 

tfiteri coaapatjoritk inter) 
/nicr m intcri 9 inter) 
loc m loci ® loC) 

Var(iae]) ft Var(laea) ■ # 

M >t (inter; toe; _ 

1 inter k inter 0 S 

Af > (inter; lee; 3«Z. 

A poaaibk aalntioa k : (wkete «oi s {e.ct.ej.a)) 

intcri s £jaii(e,ei) Agd:{a(e3) Ae € If* Act € tf* A ej €>f* 
loei s « € M 

il S al(Afi) A nsOAeacAciwc 

S| S (» w OAc = « AC] a c) unit** «,(« w Oa es c A ci w 1 oc) 
A(nsOAe«cAe) s 1 oc)]iajfi(£•!(«» 1 AcscAca >c) 
A(«s 1 Ac s c) anleae .,(« = 1 Acs lee Aa/ter(Afi)) 

Lt S at(Mi)'>««, a/ter(Af]) 

witk a ajraiaietrical aolatioa for va (witk a aiifkt differeacc 
tkat e dM aot appear ia va) wkm {a.ei.c)} ia ^ ate 
replaced hf {e.o.ct} aad wi ia repla^ wj wUik k 
eqaal to {ct.o.e}. 

We caa aow apply aaotker raka aad/or aaioina to iad two 
poaaibk modalte Ml aad M2 wkkk maat aatkfy tke two 
new apedficatioB modaka. Tkk kada to a iaal (poaaibk) 
aolatioa fM s t'Ci.C). [AfiRifr] witk 


Afl:: 

aad 


' module 

external in o ; channel [1..] of integer 
eonaum out ci, e : fhnwwni [l..] of integer 
local a : integw where a w 0 


k : ci'l; 
(i : e)?a; 
la:e!l 


M2 :: 


module 

external in ci : channel [1..] of Integer 
coaianm out cj : channel [1..] of integer 
local e : Integer where a w 0 

[ me : ci?e; 1 
mj : call J 


Program Piag-Poag 


Oar prerioaa work kaa coaoeraed tke aeiificatiaa of oae> 
carreat ptagraau aaiag a liaeat temporal logic ia wkkk we 
coandered tke global validity aotioa [15, 16], Tkk kd to 
a aoa<ompeHtioeal proof qratem we kave aacoded iato Ia> 
abeDe [18]. The teeahiag prototype, called CROCOS, aBowa 


coacarrait programa to be veriked bat aot to be developed. 
It ako eafeia bom iaefkieacy wkea deakag eritk programa 
of a reakatic kae. 

We iatead to improve tke carreat veraioa of CROCOS by 
implmeatiag tke priadpka aad tke logic we kave reported 
ia tkk paper. Tkk akoeld penait oar prototype to aapport 
tke veriicatioa at well aa tke derivatioa of large reactive 
ayateaw. Tkea experkaeate aad caae atadka witk the aew 
CROCOS wiD be coadactod ia order to explore tke poaeihil 
ky of detaiag otker compontioa priadpka ia tke aettiag 
of oar logic. 
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1. Introduction 

In this paper we discuss a notion of morphism of automata which seems particularly appropriate 
for the study of concurrency and distributed processing. It has close connections with notions of 
morphism introduced in [MM90] and [Knu73]. 

We are following the automata-theoretic calculus for concurrency based on distributive categories 
introduced by Sabadini and Walters in [SW93], which we recall briefly below. 

We concentrate attention here in particular on refinement. Our notion differs markedly from 
existing notions of refinement in process calculi (DGRj, and Petri nets [BGV91], which were in¬ 
troduced with a view to top-down design; hence, in these approaches it is considered desirable 
that that the behaviour and the properties of a refined system are deducible from the unrefined 
one. For example, two equivalent systems (with respect to a given notion of equivalence) must 
be equivalent even after refinement. As a consequence, no new information is being introduced 
by a refinement. On the contrary, in our approach, the refined system may have a much richer 
structure than the unrefined one: thus, we can study such issues as efficiency in time and resources. 
This implies that at each stage of refinement it is necessary to prove that desired properties are 
preserved by refinement. This is not unreasonable, because the desired properties are properties 
of the final object of these refinement process, and at an earlier stage it may happen that it is not 
even possible to define them. This approach is advocated, for instance, by Chandy and Misra in 
(CM88]. 

Formally, our definition is based on considering the automata as categories of transitions, and 
then a morphism is a functor between transition categories, and a refinement is an embedding of 
the category of one automaton in another one. The elementary categorical concepts used in this 
paper may be found in Mac Lane [Mac71] or Walters [Walj. 

In future papers we will show how the morphisms introduced here can be used to prove properties 
of distributed systems. 

This work has been supported by the Australian Research Council, Esprit BRA ASMICS, Italian 
MURST 40%, and the Italian CNR, contract 92.00529.CTOl. 


2. Distributive Automata 

In the model of concurrency introduced in [SW93I, sytenu are represented by particular determin¬ 
istic automata called distributive automata. 






Distributive automata are automata constructed from a given family of sets and function (data 
types and data operations) using the operations of a distributive category. That is, the alphabet 
and state space of a distributive automaton is formed by the operations of sum and product from 
some basic sets. The actions of a distributive automaton are formed from basic functions by 
composition, sum, and product of functions, projections, injections, the diagonal and codiagonal, 
tmd the distributive isomorphism A' x {Y Z) ^ X xY X x Z. Thus, the alphabets have a rich 
structure reflecting parallel or conflicting, synchronous or asynchronous actions. 

There is one further operation. A distibutive automaton whose alphabet is one letter and whose 
state space is of the form X + U + Y may compute by iteration a (total) function from A' to V'; 
such automata we call pseudofunctions. In the construction distributive automata we may use the 
function computed by a pseudofunction. This operation allows hiding of state, and encapsulation 
of iteration. Notice that the notion of pseudofunction has a precursor in Elgot’s iteration theories 
[Elg75] and Heller’s work on recursion categories [Uel90]. A similar definition can also be found in 
[Knu73], and [Mil71]. 


3. Refinement of automata 

Definition 3.1. Suppose M is a monoid and X an Af-automaton; that is, a set A' together with 
an action of Af on A', M x A —> X : (m,x) >— m - z; the action is required to satisfy the usual 
axioms mi - (mj ■ z) = (mim^) - z and 1 - z = z. Define the category rrans(X) (the transition 
eaiegorii o/A) as follows: 

(i) objects are states (that is, elements) of A; 

(ii) arrows from z to y are state transitions; that is, elements m € Af such that m - z = y; 

(iii) composition is monoid multiplication. 

A morphism of automata, or, in short, a mapping from X to Y, is a functor from rrans(X) to 
Tnn»{Y), where Y is an N-automaton for a monoid N. 

An abstraction from X to Y is a functor Tmns(X) to 7V«ns(Y) which is surjective on objecu 
and arrows. 

A refinement of X in Y is an inclusion, as a full subcategory, of 7Vans(X) in 7Vans(Y). 

In other words, in order to give a refinement of X one has to specify a bigger system Y which 
has a restriction to a system isomorphic to X. 

Notice that each arrow in 7 Vsim(X) is determined by an element m € Af and a domain and 
a codomain z, y 6 A. Hence mtuiy distinct arrows will be labelled with the same element of the 
monoid. 

In what follows, we will be concerned with free monoids on the structured alphabets we discussed. 
If Af = A* and JV = B*, a functor F from 7Vans(X) to 7 Vbim(Y) is given by a function F : X —>Y 
and a function F : X x A B* satisfying the condition that if o € A and a : z —» z' in 7Vans(X), 
then F(a) : F(x) —► F(y) in 7 Vibim(Y). For a refinement there is the further requirement that 
the function induced by F between Hom(z,z') and Hom(/’(x),/'(z')) is a bijection, and that 
the function between the state spaces in injective. (Morphisms of distributive automata should be 
defined by functions A —> T constructed using the operations of a distributive category, and by 
functions A x A —> B* constructed using the operations of a countably extensive category with 
products [KWW], but this requirement is not necessary for the purposes of the present paper.) 

Notice that the usual notion of substitution in language theory is a morphism which assigns to a 
letter a word or a language, but the latter ones are fixed once for all, and not dependent on state. 
Note also that not all full subcategories of Y induce a refinement. 

We can give also the following, weaker 

Definition 3.2. An expansive mapping is an inclusion F of Tmns{lL) in 7VBns(Y) such that 
whenever F(x-^x') = F(z)-i-F(z'), where o € A and s € B*. then there are no z" € A, 

s' € B* such that s' is a proper prefix of s and F(z)-^F(z") 
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When an atomic action is refined by an expansive mapping, the set of states spawned by the 
string it is mapped to lies entirely outside of the image of X, except for the initial and final states 
(which are the image of the domain and of the codomain of the atomic action). We can indeed 
restate Definition 3.2 as follows: 

(i) V — X -^U for some set U ; 

(ii) if F(x,a) = hj in € then ij -4* ■ x 6 for i = 1,2.n - 1 

Expansiveness and fullness are related by the following proposition: 

Propositioii 3.1. Let X and Y be >4* and B* automata, respectively. If a mapping F : X —' Y 
is a refinement, then it is expansive. 

Proof. Suppose there are x" and s' as in Definition 3.2. Then s factors as s's", and F(x")-^F{x'). 
But because of faithfulness and fullness, there has to exist strings (" € A’ such that x-^x" and 
x"-^x'. By composition, we get t't" = a. Thus, either 1' = a and 1" = <, or 1' = f and t" = a. 
In both cases, s' is not a proper prefix of s. CJ 

This proposition cannot be reversed. Take A — B ^ {<*,/?), X = {«} and Y = {0,1). Let the 
action of a be the identity on Y, and the action of B he n >-> 1 — n. The mapping sending the 
unique state of X into 0, a to a and to ia expansive, but not full. 

There is however a relevant case in which we can reverse Proposition 3.1: 

Proposition 3.2. Let X and Y be i4* and B* automata, with A =: B = {r}. If a mapping 
F : X —> Y is expansive, then it is a refinement. 

Proof. If F is not a refinement, consider states x,y € X and an arrow F(x)—»F(p) which is 
not image of an arrow from x to y. Assume without loss of generality that k is minimal. Let 

r* r r**® 

F(x)—•F(x) be the image through F of x —If k > n, then necessarily F(x)—*F(p) is not 
in the image of X, which contradicts the minimality of k. Then n > k. But this contradicts 
expansiveness. Q 


Example 3.1. When M = TV = {r}* then refinement takes a particularly simple form. Such an 
automaton can be analysed by considering the orhiia, that is, sequences of states produced by 
the action of r starting from a given initial state. A refinement of an automaton X is another 
automaton Y with state space of the form Y = X + f/ such that the orbits of Y, when restricted 
to X, correspond exactly to orbits of X. 

Remark 3.1. It is clear that refinements form a category Refine, and that abstractions form a 
category Abstract. However, both refinement and abstraction can be looked at in the opposite 
direction, i.e., the domain of a refinement can be seen as a system in which space and time have 
been hidden, while the domain of an abstraction can be seen as a system with finer state space and 
actions (this is closely related to (LynST]). Formally, this correspond to the study of the categories 
Refine*'’’ and Abstract*’^. 

The notion of transition category induces a notion of teknmomr which is state dependent: for 
each pair of states x, y we can build the set of arrows between x and y, i.e., the kom-set between 
the objects x and y. Formally, 

Definition 3.3. The functor behaviour 

Behaviour : Refine —> Cat/Sets 


is defined by 
on objects, and by 


X H-. Horn : IVaiM(X)''' x 7Vwis(X) — Sets 


on morphisms. 


F K- F*' X F 




Note that F'^ x F commutes with Horn up to isomorphisms exactly because is a refinement. 
Note also that f'*’’ x F is a morphism in Cat/Sets; this expresses the fact that the behaviour of 
X is a restriction of the behaviour of Y along the refinement. 


4. Examples 

4.1. Mutual exclusion 

Other theories of refinements often require that all the steps in the refinements of two conflicting 
action (systems) are conflicting. This seems to be reasonable when the word “conflict” means 
“irrevocable choice”, but not when, as usual in applications, conflict comes from access to a common 
resource (in our setting, this means that two letters use the same part of the state space). Here, 
we can easily model the situation where the conflict may occur at only one step in the refinement. 

4.2. Independent actions are not necessarily parallel 

In considering a refinement F : X — Y we can think of X as the specification of a program and 
F as the implementation of X in a system Y (in a later paper we will discuss a more general 
notion of specification in this setting). It is then possible to consider questions of resources. We 
can make the distinction between actions of X being “independent” and being “parallel”. Actions 
are independent if they are specified as parallel, i.e., they are parallel in X. Actions are parallel if 
they are parallel in the implementation, i.e., in Y. 

The following example can be expressed by saying that independent actions in a specification 
may not be parallel in the implementation. 

Given two automata X, Y, both with alphabet r, suppose that there are refinements of X to X' 
and Y to Y', where X' = X + 1/ and V" = Y + f/, the meaning being that the set U is the state 
space of some temporarily used (and reset after use) resource like a scratch pad, or printer. Then 
the synchronous parallel product X x Y of X and Y may be refined to an automaton in which 
there is only one resource U whose use is scheduled between X and Y. The state space would 
be 2 = XY + UY + XY + XU, and the only letter acting on it would first apply (t, 1) until it 
lands in the third summand of the state space. Then, it would apply (1, r) until it gets back to 
the first summand. The injection of XY as first summand of Z would then define a refinement, 
which would schedule the parallel action (r, r) to a sequence of actions of the form (r, 1) or (1, r). 

4.3. Shutdown 

Consider a refined description of a system in which a new, destructive action can happen. This is 
a typical case of a sudden shutdown. We expect that the system can, at any time, be shut down, 
thus moving into a state which was impossible to reach before. In this case, the refinement space 
is formed by adding a single element, and a new letter to the alphabet; it sends to the new state 
any other state. The behaviour of the machine, if we ignore the shutdown state, is unmodified, 
which is exactly reflected in our definition of refinement. 


4.4. Choice 

Our refinement being a functor assigns to each action of the unrefined system a precise refinement. 
Hence it is not possible in our model to replace an action by two alternative actions even if two 
alternative actions may exist in the refined machine (such a thing would correspond to two different 
refinements). This accords with our view that machines, even asynchronous ones, are deterministic; 
the introduction of a choice in refinement is a non-determinism at the level of morphism. However, 
different choices can be identified by an abstraction morphism. 





5. Compariaons 

As we remarked in the introduction, our notion of refinement differs markedly from notions cur¬ 
rently being considered in Petri nets and process algebra; rather, it is in the spirit of {CM88, AL87]. 

The definition which is conceptually closest to our approach is the broader definition of Petri 
net morphism given in [MM90], where a single Petri net transition can be mapped to an entire 
computation, possibly composed by many parallel steps. However, due to the freedom with respect 
to the monoidal product, the mapping is not dependent on the global state of the net. 

In contrast to the situation in action refinement ([CvGG],[DGRj), in our model it is not at all 
necessary that a refinement of two parallel processors be parallel (§4.2) (and hence we can discuss 
scheduling of resources), or a refinement of conflicting processors be conflicting in all steps (§4.1) 
(and hence we can discuss refinements which limit non-parallelism to exactly those points where 
common resources are needed). 

In contrast to Petri nets refinement ((BGV91]), we are unable to introduce a choice (§4.4) between 
actions to refine an action. This limitation simplifies considerably the theory but does not restrict 
its expressiveness. 


References 

[AL87] M. Abadi and L. Lamport. Composing specifications. In Stepvnse Rtfinement of Dts- 
trUnteJ Syaiema, number 430 in LNCS, pages 1-41, 1987. 

[BGV91] W. Brauer, R. Gold, and W. Vogler. A survey of behaviour and equivaJence preserving 
refinement of Petri nets. In G. Rosenberg, editor, Advances in Petri Nets 1990, number 
483 in LNCS, 1991. 

[CM88] K.M. Chandy and J. Misra. Parallel Program Design: A foundation. Addison-Wesley, 
1988. 

[CvGG] I. Czaja, R. von Glabbeek, and U. Golz. Interleaving semantics and action refinement 
with atomic choice. Preprint. 

[DGR] P. Degano, R. Gorrieri, and G. Rosolini. A categorical view of process refinement. In 
Semantics; Foundations and Applications, number 666 in LNCS. 

[Elg75] C. Elgot. Monadic computation and iterative algebraic theories. Studies in Lope and the 
Foundations of Mathematics, 80:175-230,1975. 

[Hel90] A. Heller. An existence theorem for recursion categories. Journal of Symbolic Logic, 
55(3) 1252-1268, 1990. 

[Knu73] D.E. Knuth. The Art of Computer Programming. Addison-Wesley, 1973. 

[KWW] W. Khalil, E.G. Wagner, and R.F.C. Walters. Fixed-point semantics for programs in 
distributive categories. In preparation. 

[Lyn87] N.A. Lynch. Multivalued possibility mappings. In Stepvnse Refinement of Distributed 
Systems, number 430 in LNCS, pages 519-543,1987. 

[Mac71] S. Mac Lane. Categories for the Working Mathematician. Springer-Verlag, 1971. 

[Mil71] R. Milner. An algebraic definition of simulation between programs. In Proc. of the 2nd 
Joint Conference on Artificial Intelligence, pages 481-489. BCS, 1971. 

[MM90] J. Meseguer and U. Montanari. Petri nets are monoids. Info, and Co., 88:105-155,1990. 

[SW93] N. Sabadini and R.F.C. Walters. On functions and processors: an automata theoretic ap¬ 
proach to concurrency through distributive categories. Mathematics Report 93-7, Sydney 
University, 1993. Available by anonymous ftp at ghost.dsi.nniMX.it in the directory 
pnb2/papsrs/sabadini. 

[Wal] R.F.C. Walters. Categories and Computer 5cience. Carslaw Publications (1991), Cam¬ 
bridge University Press (1992). 





• • 





The role of Memory in Object-Based 
and Object-Oriented Languages 


Eric G. Wa^er 
Wagner Mathematics 
Old Albany Post Road 
R 1 Box 445 

Garrison, NY 10524 / USA 
CSNET: W'agner@watson.ibm.com 


Abstract 

This paper introduces a algebraic memory model appropriate for programming lan¬ 
guages with both ground types and objects, and related to an elemenUuy inheritance, 
overloading, and class speciAcation. 

This paper reports on some the recent theoretical and practical results on prograon- 
ming constructs that came about as part of the continuing project to design, implement, 
and extend the programming language LD’ (^Language for Data Directed Design) that I 
introduced at the first AMAST conference [4]. 

The main idea that I want to promote in this paper is that the proper context for talking 
about object-oriented and object-based programming is imperative rather than functional. 
That is, I will show why it is advantageous to view objects as parts of a state rather than 
as things-in-themselves. In particular I will show how this approach makes for rich variety 
of objects (or classes) and a simple approaches to inheritance and overloading. 

Much of the theoretical work currently bring done on OOL and OBL, e.g. [3, 1, 2], 
is done in a functional context wherein a method is riewed as a function on objects. In 
this paper we take we take a different approach based on a “memory” modd, wherein the 
execution of a method both changes the state and returns a value. I first enunciated this 
approach in [5] where it was applied to produce a semantics for LD*. The paper generalizes 
the treatment given there and examines some of its ramifications. This abstract gives only 
the first part of the story, a precise description of a particular form of inheritance - the full 
paper will also explore the rrie of overloading. 

Bor any set K let SStrjc denote the free distributive category generated by K (the 
notation comes from the fact that this is also the category of strings-of-strings over A' - see 

[4]. 

Definition 0.1 Let A be a finite set, then K-state n is given by the following data 
h = (Inik) I k € K), a A'-indexed family of sets. 

V), = {V^{k) I k € K), a A'-indexed family of sets. 

/r = {n(k) : I^(k) VJJs) | k € A"), a K indexed family of mappings. 


If we view /„ and as functors from the discrete category K to the category Set of 
sets and functions, then is /i is a natural transformation. 

Given A -states fi and we define a morphism : p —• /i' to be a pair of injective 
natural transformations, (q : 4 — /3 : — V^,) such that n' • a = (i • n. Here a 

injective means q* is injective for every k € A'. Let STjf denote a category of A’-states. □ 

The rough intuition is that in a A'-state p = {/^, V^,/u) what is specified is a A'-indexed 
set of entities (locations, objects) each entity having a value in the A'-indexed set as 
specified by the A'-indexed family of functions (i. More specifically, the entities belonging 
to class 1; € A’ are the elements of the set I^{k), their possible values are the elements of the 
set V„{k) and there specific values in the state are pven by the mapping fit : I^(k) — V^{k). 
The morphisms in the category STjf capture the notion of “substate". 

The next ddinition extends the idea of “entities” with values by extending each set I^{k) 
to include an additional entity without a value. We shall call the additional entity of dass 
k the nvll-entity of dass k. Such null-entities provide a means for dealing with constructs 
as such as null-pointers. 

Definition 0.2 From we define a functor 0^: K -* Set, k /^(jb)-|-1. Given a natural 
transformation q : /(, —* /^. we extend it to a natural transformation from a* : 0^ —► O,, 
by taking = a* + 1 for all k € K. It what fcfilows we shall generally omit the “ * ” and 
use the same notation for both natural transformations. □ 

Since SStrj^ is the free distributive category generated by K it follows that for any state 
/i, the functors V), and extend, canonically, to (respective functors and 0^) 

from SStrjr into Set. We will generally omit the “ ^ " in future uses of these functors. 

Definition 0.3 For each v € (A'*)* define If" : STj^ —► Set, 0^{v) and (fiiypi) >-* Of„. 

to be the functor with the above indicated object- and morphism-parts. □ 

Definition 0.4 For each v € AT* we define a category Oj^ with, as objects, all pairs (/r, e) 
where /i is a state and e € f^*(/i) = 0^{v), and, as morpUsms from to those 

morphisms rf: fx ft' such that U''(ii)(e) = s' (so, if ij = (a,/?) then Qiv(e) = e'). 

For V € A^*, let n = 11*' : O]^ —» STir, (fx, e) /t and t} >-* rj. □ 

Definition 0.5 Let F : 0“ —> O” be a partial functor, then for each it € A' define 
Tk : 0% —► Set, (/i,e) *-♦ 0^{k), and (a,/?) »-► a^. Observe that, F* = •W • F. □ 

Definition 0.6 By an STk- operation of arity {v,w) € (A*)* x (A*)* we mean a partial 
functor F : —* OJ^ equipped with an injective natural transformation F* 

for each k € A', where It denotes the identity functor on □ 

The idea here is that an ST^-operation, F, of arity (u, v) is a possible semantics for 
“functions” with formal parameters specified by the string u and returning results specified 
by the string v where “side-effects” are allowed, i.e., execution of a “function” can result in 
a change of state as well as the return of a value. 

The functorality of F captures a somewhat more subtle point, mainly the intuitive idea 
that if a “function” is defined for a given state fx and input e and fx' is an “extension” 
of p then the function is also defined for p' and e and, indeed, does essentially the same 
thing then as it did before. The mathematics makes a slightly weaker, but more precise 
statement. 
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The reqairement that we have an injective natural transformation * : It — Tk for 
each k £ K can be interpreted as saying that the execution of F “preserves entities”, i.e., 
that if F{{ti,e)) = {/*',«') then, roughly speaking, I^{k) C I^-{k) for every k € K. 

Definition 0.7 Given STjf-operations (F,t^) : Oj^ — Oj^ and (G,i^) : ■— 0%, we 

define their composite, (G,i®)*(F,t^): OJ- -* 0“ tobe {G»F,i^^) where, for each k € A', 
and (M, e) € Obj{0),), . □ 

Proposition 0.8 The STjfoperottons form a category, Op^, with the above defined com¬ 
position and with the identity morphism, idy : being (lo>, ■ G,,{k) —> 

O.(ib) I * € A',^ € ST*:». 

Definition 0.9 Let k,k' € K, then by the replacement function for k and k' we mean the 
function : K K such that = k \i j = k' and = j otherwise. 

□ 

Definition 0.10 A smooth coercion from P to ib is a natural transformation c : —> 

□ 

Proposition 0.11 Ifk,k' £ K, u,v £ A'* such that r,,. i,ou = v and c is a smooth coercion 
from to then there is a functor c : -♦ such that for all {fi,e) € 0bj{0)(), 

c{{fi,e)) = (no change in the state!) where e|- = c(ej)i/ Uj = k', and ej) = e, if 

Ui jt k'. Furthermore, this functor c is an STk- operation when equipped with the identity 
natural transformation T* -► c* for each k £ K. 

Proposition 0.12 Ifk,k’ £ K, u,v£ A" such that r^, ^ou = v and c is a smooth coercion 
from ^ to then there is an induced mapping 

Opk{v,w) OPk{u,w) 

f*-f*e. 

We now apply these ideas in a more concrete setting. 

Definition 0.13 A class-system is specified by the fcdlowing data: 

G, called the set of names for ground classes. 

D, called the set of names for defined classes. Let K G + D. 
i: D -* {K*y, called the form function. 

G, a G-sorted algebra, called the algebra of ground operations with some signature F. 

Given a class-system K = (G, D, i, G) a haste state, p, for AC consists of 

: K ->■ Set. For our current purposes let us assume that for each k £ K I„(k) = 
{(j. Ar) I j = 1,...,ntjfor some n* > 0. 

Let V^: K -* Set such that g>-> Gi and d 0^(i{d)). 

p : -*V„ A natural transformation. 

Finally, we restrict ourselves to morphisms :p -* p' between states in which, for 
each d£ D, = a.(^, and, for each g£G,fif- 1®,. □ 







Now let 08 restrict oor attention to STjr-operations (F, in which the are inclu¬ 
sion mappings. We can show that there are more than enough such operations to form a 

programming language (see the LD* papers). 

Propoaition 0.14 Let k,k' £ A', then if there exist u,v € (A'*)* and an isomorphism 

p : i{k') ^ ( (.k)xu) -I- V then there exists a corresponding smooth coercion c^ : -* 

1. There is always a trivial example: Take 0 = 0, the empty string-of-strings, and take 
V = t(k'), then (because, for any u and », u x 0 = 0, and 0 -1- r = v) we trivially have 
tota(k') ^ ((k) xO) -}- t(k'). I claim that the corresponding smooth coercion is the one 
which, for each state p is (pven by the mapping 

0,{k>)-^0,ik) 

0'.*') (0.*)- 

2. Assume i : D -* (A'*)* is such that, for every d € D, i{d) =(kt,i • • •/!:*.„,), i.e. it 
consists of a single string of length n^. This is the case in object oriented languages 
where the state is given by the values of a set of instance variables. When this is the 
case, it is easy to see that, if d € D and k € A' such that t(k') =(kt.,i • • •k*._„^,)and 
k = kt>,i for some t, then we have an isomorphism 

: t(k') a^Ck) X (k^.i • • k*..,., • k*..j+i • • k*.,,^,) 

The desired smooth coercion here the one which for each state p is given by the 
mapping 0^{k') -► 0^(k) taking x € /*i(k') to #»(*)<• 

3. We claim that the archtypical example of inheritance - the inheritance of the aove 
operation on the class dots by the “subclass’* colorsdjdots - is an example of just 
such a smooth coercion. We will give a fuller treatment this, and other examples, in 
the full paper. 
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Abstract and Concrete Objects- 
An Algebraic Design Method for Object-Based Systems 

Ruth Breu Michael Breu ^ 

This paper demonstntes the design of an object-based system using algebraic specification 
techniques. The flexibility of algebraic speciflcations allows the system to be described at any 
stage of the design - starting from a descriptive specification and ending at a constructive 
speciflcation. The latter one is a specification at the level cf a program, comprising concrete data 
repieseotatioosaiid machiiie-executable algorithms. 

Since we are developing an object-based system, die algebraic target specification in particular 
is a qieciflcation of objects. In our framework objects are entities with a unique identity and an 
evdving internal state which can be manipulated by the outside through a set (tf oper ''^ns 
(commonly called methods). In this paper we are restricting ourselves to environme 
exacdy one active object at a time. Hence, the resulting specification can be easily transit, 
a typed sequential object-oriented p rogr am such as an Bflel or C-m- program. 

In our opinion, the notion of objects is too concrete to be the basis for the whole design. In 
particular, object states, object sharing and side effects of methods are facilities which are 
tighdy connected with the notion of objects but encounter aspects of abstractness and 
iirqilemenlatiao independence. 

Therefore, we suggest a design method which is Imsed on a two-tiered paradigm of object 
speciflcation. The early stages of the design rely on a notion of abstract objects. Abstract 
objects are stateless values on which a set of functions can be applied yielding other abstract 
objects. The speciflcation of abstract objects is based on an external view, stating the behaviour 
of die functions. In particular, abstract objects are independent of data representations and do 
not have states. 

In later stages of the design, abstract objects are implemented by a state based object 
description. These state dependent objects are called concrete objects. Concrete objects exist in 
object environments in whidi one object may refer to odier concrete objects. 

During the transition from abstract to concrete objects, a f»mal notion d* implementation has to 
ensure that the correcmess of the system description is preserved. We take the approach of 
[Breu R 91] and relate abstract and concrete objects by abstraction functions mapping each state 
of a concrete object to an abstract object While in [Breu R 91] abstraction functions connect 
algdaaic qiedflcations with object-oriented programs in a model based theory, in this paper the 
axiomatic framework is not left. Fdlowing the idea of [Breu M 90], the abstraction functions 
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sre put of the algebteic specification and hence enable reasoning at the level of a formal 
cidculus. 

Our approadi goes beyond related approaches since it supports the specification of both abstract 
and concrete objects. In this respect, our framewoth can be considered as an extension of 
approaches which pursue the specification of concrete objects ([Goguen, Meseguer 87], 
[America, de Boer 90]). A similu separation into state dependent and state independent objects 
together with abstraction functions can be found in [Wing 87] and [America 90]. Unlike these 
approaches, our framework is based on a uniform logic environment in which both abstract and 
concrete otyects are speciAed and prortfs are perfonnerL 

As syntactic and semantic framework, we rely on the algebraic specification language 
Spectrum ([Broy et al. 91]). This speciAcation language provides facilities like the 
specification of partial functions and higher-order functions, admitting formulas of a general 
predicate logic. 

We will illustrate our ideas by the common example of binary trees. The full version of this 
paper will contain a larger case study. This case study deals with the implementation of the 
most general uniAer of terms based on an object structure which relies on a shared 
representation of terms, i.e. a representation by dag^. 

The Specification of Abstract Objects 

A primary goal in the first stage of our design method is the identification of abstract objects 
together with the abstract speciAcation <tf their behaviour. We model abstract objects by values 
of some sort (called the object sort) in an algebraic spedAcation. 

Abstract objects in our example are binary trees (of object sntTVw). Binary trees are as usually 
attached with two coostructon e: Tree and rtode: Tree xNat x Tree -* Tree. Moreover, left, 
right: Tree -* Tree and label: Tree -*Nat denote the projections to the Arst and second subtree 
and to the label of the root, respectively. The related speciAcation is straightforward. It can be 
found for instance in [Wirsing 90]. 

The Specification of Concrete Objects 

Each concrete object consists of 

• a unique identity 

• an evolving state which may refer to other concrete objects. 

Concrete olqects thus do not exist in an isolated setting, but in an object environment. Object 
environments are collections of concrete objects which are connected by a network of 
references. This includes the facility of references to common subobjects {object sharing). 

In our example, we implement the abstract tree objects by concrete objects which form a dag 
structure. Rgure 1 depicts an environment of two objects representing the abstract tree 
node(node(t, 2, e), 1. nodeft, 2, e)). 




1 


2 


Figure I 

In object-oriented languages object envinMunents and otyect identities an implicidy given. In a 
framework in which properties an proved formally, an ex|dicit modelling is advantageous in 
order to keep the logic sinqde. 

We model concnte objects of object sort 5 by an algebraic specification containing the 
following features. 

• A sort Afs describes the set of object identities. 

• A sort Stotej describes the set (rf’otqect states. 

• A sort Env describes the set of object environments. This set is characterised by 
associations of object identities with olqect stales. 

• Methods an modelled by functions /; Env -*£nv on object environments. Additional 
parameters may refer to concrete olgects in die environment or to basic values. 

It has to be noted that the specification of object irtentifiers and environments does not 
necessarily be a ^lecification of a low-levd pointer structun. Mon abstraedy, object identifiers 
can be conceived as identifying keys and object environments as databases nlating keys with 
object states. 

The TraiMitkm flrom Abstract to Coaercto Objects 

We nlate abstract and concrete objects by abstraction functions. Each abstraction represents a 
particular state in the lifetime of a concrete object by a stateless value. Formally, the abstraction 
is a function abstr mq^ng environments and object identities to values of the abstract object 
sort. An application of the abstraction function abstr in our example of binary trees is sketched 
in figure 2. Otject identities (of sort Idpree) are indicated by an arrow in the given environment 


obstrifK o) 

m- node(node(e. 2. e), I, nodete, 2. 


Figure 2 

An important property which we require of an abstraction function abstr is its compatibility with 
the functional behaviour of objects. This homomorphism property is characterised in the 
following diagranL 
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abstract objea abstract object 



The above diagram commutes for any operadon/(Hi abstract objects corresponding to a method 
fj on concrete ol^ects. Thus, abstraction functions between concrete and abstract objects are 
homomorphisms augmented by a notion of states. These extended homomorphisms have been 
cMed state based homomorphismsm[BrtuR 91]. ^ 

More precisely, the implementation of abstract objects of object sort s consists of the following 
four steps. We assume that a specification of object environments (of sort Env), object 
identities (ctf sort Ids) and object states (d* sort States) is already given. 

11. Impfemcntation of the fractions associated with abstract objects * 

Each function / in the abstract specification is implemented by a method fJ working on 
environments. Each occurrence of sort 5 in the arity of/corresponds to the sort Ids in the arity 

of/_<.ln this way. we obtain for instance the aritiesnoiir_i; Env Not ~*Env 

^Iftfree and ieftj: Env xldrne -*EnvxIdf,„ in our example of binary trees. • 

Related axioms describe the behaviour of these functions. In our example, tj and nodej are 
methods which create new objects, leftj, rightjt and labelj do not change the given 
environment. i.e. are ermstant <« the first argument 

12. Abstract spccillcatioB of the abstractioB fhactioB * 

In diis step we introduce the abstraction function 
abstr: Env xlds~*s 

together with axioms specifying the homomorphism properties. Since, in general, these ^ 

properties are too strong to be valid in the set of ail object environments, we introduce a 
constraint on environments 

1: Env -• Bool. 

For eadi function/'s-*5 on abstract olgects we introduce the auom • 

-- ABSTR_AX - Vp: Env;x: Us in Up) -* abstrif_Hp, x)) -fiabstrip, x)). 

Axioms related with functions with general arity f: sj x ... xsn-*So are obtained in an 
analogous way. 


29ft 









Additional axioms may describe abstractly tlM side efTect of the functions/_/ on the argument 
cAjects based on the abstraction function. Note that at this stage the boolean function / does not 
have related axioms, i.e. it is totally loose. 

13. Conatractive spccificatioB of the abatrnetioB AsbcIIob 

The axioms in step 12 describe the function abstr in a non-constructive way. in step 13, axioms 
have to be introduced which define this function explicitly based on the structure o( object 
environments and object states. Moreover, the loose spedfication of the con^raint function / on 
environments has to be concreted. The specification of this function is deferred to this stage 
since it is tightly connected widi the idea of the implenientatioo of the abstraction function. 

In our example, the abstract tree object related with a concrete tree object is obtained by 
collecting the node information along the trace of references in the environment. The constraint 
Hp) holds if the environment p forms a dag structure, i.e. does not contain cyclic networks of 
objects. 

14. Proofs of correctness 

In the last step, the soundness of step 13 with respect to the abstract axioms o( step 12 has to be 
proved. This means that the homomorphism axioms ABSTR_AX have to be converted into 
theorems in the theory of the specification of step B. 

After the elimination of the noiKOOstiuctive axioms of step 2, the developed target specification 
should contain axioms which describe algorithms related with 

• the functions fj on concrete otjects and 

• the abstraction function ofrsrr. 

At this stage, the development has reached a level at which the transition to a machine- 
executable program does not change the level of abstraction. 

CoBCiBSiOB 

A main advantage of our design method is the gain of abstractness compared to approaches 
which are based on the specification of state dependent objects. In particular, our approach 
supports the separated development of algorithms and data representations. 

A second main advantage of our approach is the uniform logic framework of the design. 
Through the eiqrlicit specification of olject identifias and object environments, the simple logic 
calcidus of the functiooal framework can be qiplied. Nevertheless, it has to be stressed that the 
explicit iiKxielling of these state based features does neitter have effects on the style nor on the 
expressiveness of ol^ect specifications. 
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Abstract 

la this paper aa reproach k propoaad to tka algabrak ^a^catioa of clmea aad iakaritaace 
ia object orieatad profraauniag, nrag tka aotioa of algabrak implamaatatioa of abatract data 
typaa. 

1 Introduction 

Application of tka algebraic thaoiies to computer edence aad aofhrare technology has been widely 
studied. As the object oriented paradigm[3,5,9,13,lS] has become increasingly important aa a new 
software engineering methoddogy, attempts have bem made to nve a rigorous mathematical foun> 
dation for object oriented systems using the algebraic theories(e.g.,(l,4,6,7,10,ll]). In particular, 
algebraic models of inheritance have bwn proponed, e.g.,(4]. However, the existing models use 
conventional notions such as nfnaiurt morpkim and Uius are not wide enough to provide the 
representation of incremental inheritance. 

In object wiented programming, the central concept is oijeet An object has an identifier, 
attributes and methods. An important feature ia object oriented programming is elauifiattion, 
incorporating the notion of cacepea/attoa. Classification organises oojects into aatses. Attributes 
aad methods of an object are defined in the class. Inheritance is an important feature of object 
oriented systems, providing a mechanism for defining attributes and methods for a new (sub)claas 
from definitions of in (superlclass. In a class specification, there is an interface part whidi, by 
providing the attributes and methods, desinates how to build and manipulate objects of the 
daas[9,13,15]. This intOTface is an (abstract) object type specification[12]. For some classes, this 
part characterises all the features of a class. For others, however, it does not fully characterise a 
dass and another part is used that concerns implementation of the current type(9,13,15|. We call 
this the implementation part These two parts form an implementation epeeifieation in terms of 
algebraic data types. 

Because of lack of space, we only discuss some basic ideas in this p^>er and refer to [12] 
for further details. Attributes and methods (functions) in a dass are grouped into kinds: mets- 
methoJe, inatanee attribnteo, inatanee metkoda, class atfrihrfes, elaaa methoda, and shared inatanee 
aftrtkntes[S,9]. Here we only consider the first three features of them. Higher types are used for 
specifications of object typa- Inheritance is conridered on two levels: on types and on dasm. 
Generally, inheritance supports increment^ modifieation, reasmtay, overridinf, and apeeialization; 
and inheritance can be staple or maUiple. In this p^>«, we only discuss sinde inheritance support¬ 
ing modifieation, that an inhmtM component has the same name as in the 

source. The loose approach has been shown in [12] to be espedally appropriate for the semantics 
of inheritance, in cluding the ai gnifirMt point that an object of an inheriting type is also an object 
of its super ^rpc. 

2 Object Types and Inheritance 

We —«««~ familiarity with the basic notions from the equational algebraic specification. An okjeet 
tppe o = 0(ki : St,.. . ,kn : «n) consists of pairs i,- : Sj, whidi we will call components of the object 
type. Denote = (ii : si,... ,4,,: s„). if" is divided into two disjoint subsets, “d 
with = {ikm : Sm,- ■ • ,kn : »n}, 1 < m < n, such that (1) for each method in its coarity is 
exactly a. In particular, there can be a constrnetion method tup*~*' € with w = s,k x ... x Sn 
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and m constant operation symbol create-*-; and (2) for each method in Kf., at least one of iu 
argument types, or the coarity, is an attribute type in Kf^. Components in are meta-metkodt, 
and those in are instance attributes and instance methods. A component ki : Si has a name k, 
and a type Si. When an object type r inherits <r, we write r. 

A typed signature £ is an 5-aorted signature £ = (S,£) such that for each object type o, 
ayeiy method name in <r is an operation symbol, and for each ki € Kf^, there is a unary named 
gn^eetion operation symbol ki 6 I!*,!,-; and if an inheritance relation a r exists, then for each 
metapmethod a : si x ... x s, —* e for e, there is a meta-method ^ : si x ... x s, x ... x Sp —* r for r, 
P ^ 9, wad /3 is said to be eomputiUe with a. A typed sgeeifieation HTSP=(£, E) consists of a typed 
signature £ and a set £ of axioms. A typed spe^cation HTSP is also written HTSP=(5,£, E). 

An aigebra A for a typed specification HTSP=:(S,£,£) is a specification algebra, with a carrier 
s* for each sort s € 5, such that for each method name ki of type t, there is a uniquely assigned 
method in t*, denoted by or simply h,-; and such that for every inheritance relation a r, 
each component h : s in —* s^ is also a projection operation. In either of the cases, 

we say that k is inherited, and o is said to be (weaUg) inherited by r. 

Let (T r in HTSP. For an HTSP-algebra A and meta-method compatible with a as men¬ 
tioned above, a is said to be inherited to ia AUtor Oi € sf, 1 <i < p, ki{fi{ai ,... ,a,,... .Op)) = 

^(a<(ai.a«)) for each instance component name hi. a is said to be strongly inherited by r in A 

if each meta-method hi in ff is inherited in A. In this case, oi can be compatibly adapted to r in A 
by defining a(ai,... ,a,) = ^(oi,... ,a,,c,+i.Cp) for fixed elements Cj e sf, q < j < p. 

Proposition 2.1 Let a r in the typed specification HTSP. Assume that o is not an attribute 
type for any other object type «n HTSP. For any HTSP-algebra A, let B be obtained from A by 
replacing tr* by a^Ur*, then B is an HTSP-algebra. | 

Proposition 2.2 With the conditions above, for any HTSP-algebra A in which a is strongly in¬ 
herited by T, let B be obtained from A by replacing (r* by r*, then B is an HTSP-algebra after 
compatibly adapting a to r tn A. | 

In both propositions, B being an HTSP-algebra means that objects of type r are objects of a. 
This is an important feature in the object oriented framework. 

3 Implementation of Object Types 

In this section we briefly discuss the notion of implementation. We utilize existing notions of 
implementation in the literature(2,8,14] and integrate the distinctness of object orientation. 

Let HTSP and SPEC=(5,£,£) be the typed specifications of a and r, respectively. The basic 
idea of implementing o by r (or Hl^P by SPEC) is to use the features in SPEC to describe those 
in HTSP. In case several sorts, si,... ,Sp, in SPEC are used to describe one sort t in HTSP, we 
denote the sequence of sorts by < S|,... ,Sp > and call it n joint sort, and it is essentially a product 
type. Each S{ in a joint sort is associated with a fixed attribute of tjm s, . Two or more attributes, 
hi,..., hp in SPEC can be used to describe one attribute h in HTSP, and we denote this sequence 
by < ki,...,kp > and call it a joint attribute. Moreover, methods are needed for manipulating 
these joint attributes. We will call these methods compound methods. A compound method involves 
one or nu>re existing methods in SPEC and consists of terms (ti,t 2 ,... ,tu) of appropriate types 
from Tz{X). This is an ordered sequence and the effect is equivalent to the sequentid actions of 
these component terms as operations. With the introduction of a joint sort s =< ti,... ,Sp >, a 
meta-method whose argument types include all the types in s can be rewritten by substituting s 
tor the occurrences of si,...,Sp. 

A joint sort or a joint attribute exists only functionally, that is, it is not a component in a 
specification. Instead, a joint sort means that several existing sorts will be involved for a single 
action by a (compound) method. Similarly, a joint attribute of a joint type means that several 
attributes will be involved in an action by a (compound) method. In contrast, a compound method 
is a component of the object ^e. A compound method can be defined on a joint attribute and 
thereby it may access the attributes or change the values of the attributes involved in the joint 
attribute when the compound method is invoked. 

To implement HTSP by SPEC, we follow the three stages, synthesis, restriction, and identi¬ 
fication in [8]. The first stage is to enridh SPEC to EnSP. An enrichment of SPEC is a typed 


























specification EnSP obtained from SPEC by adding attributes of the existing types (rather than a) 
in SPEC, defining a set of joint sorts and a set of joint attributes to SPEC, adding a number of 
compound methc^, and accordingly the operations for the new components. We do not use the 
sort implementing operations, rather we use the implementation morphism, in a similar manner 
to [14]. In the second stage, EnSP is restricted to EnSP.-fi by deleting the methods which are 
not u^ directly in simulation. Finally representatives are selected from a given EnSP,„^-algebra 
A using a congruence, to simulate an HTSP-algebra. In what follows, we always assume that 
HTSP, HTSPl, SPEC and SPECl are typed specifications of o, oi, r and ri, respectively, and 
HTSP=(5,E,E) and HTSP1=(S1,E1, JE?l). 

An implementation morphism from HTSP to HTSPl is an ipjective mapping A from E to El 
such that h{a) = an and for any operation symbol a : si x ... x s, —» s, if a is a meta>metbod 
for a, then A(a) is of the form A(si) x ... x (s,) x ti... x —» oi, otherwise, A(a) is of type 
A(si) X ... X (Sf) —» A(s). If A(s) = s for each s ^ a that is not a meta>method sort in a, we call A 
an inheritance morphism. 

An implementation morphism is a generalisation of a signature morphism in the conventional 
sense since it does not necessarily preserve the meta-methods. The implementation morphism impl 
maps each sort s of HTSP to a sort or to a joint sort in EnSP, an attribute to an attribute or a 
joint attribute, and a method to a method or a compound method. 

An implementation of HTSP=:(E, E) of a on SPEC of r is given by an enriched specification 
EnSP of SPEC and an implementation morphism impl from HTSP to EnSP, and denoted by (HTSP, 
impl, EnSP, SPEC). A model M of the implementation (HTSP,impf,EnSP,SPEC) is quadruple 
(A,impl*^,B,^mpi) consisting of an HTSP-algebra A, an EnSP, -) j-algebra B and an injective 
homomorphism impl*^ from A to a congruence B/ of B, where EnSPim^ is the typed 

specification obtained from EnSP by deleting the methods m EnSP which are not within the image 
of tmpf. 

The definition of implementation is a partial one in the sense that we do not require that every 
HTSP-algebra can be represented by an EnSP,mpi-algebra. If EnSP=SPEC in (HTSP, impl, EnSP, 
SPEC), we say that HTSP is implemented hg SPEC, and denote it by (HTSP, impl, SPEC). There 
can be multiple ways for implementing an object type on (fay) another in that a compound method 
may be composed using a difierent set of terms, bi addition, an implementation can have many 
models. It is easy to see that if SPECl is an enrichment of SPEC and SPEC2 an enrichment of 
SPECl, then SPEC2 is an enrichment of SPEC; and if impl is an implementation morphism from 
HTSP to SPECl and impli an implementation morphism from SPECl to SPEC2, then implioimpl 
is an implementation morphism from HTSP to SPfcC2. 

Proposition 3.1 (Composition of Implementations) If (HTSP,impl,EnHTl,HTSPl) and (HTSPl, 
impli,EnSP,SPEC) are implementations, then (HTSP,im^, o impl,EnEnSP,SPEC) is an imple¬ 
mentation and the diagram in Figure 1(a) commutes on K^, i.e., for k € fi o impli(k) = 
tmp/j o g{Jk), where EnEnSP is an enrichment of EnSP constructed in a natural way along the 
construction of EnHTl from HTSPl, and impfi is an extension of impli; and for impl(t) =< 
tl,...,t, > withimpli{ti) =< t,.i,...,t,>. >, impl'ioimpl{t) =< li.i,.• • .ti,,,...,t,.i,...>. 

Moreover, (EnHTli„pt,impp 2 ,EnEnSP,SPEC) is an implementation of EnHTli„fi on SPEC, 
where imp/j is the restriction of impfg on EnHTlimfi- And if (A,impl,B,^mfi) is a model 
for (HTSP, impl, EnHTl, HTSPl) and (B,impl' 2 ,C,S 4 ^tJ is a model for (EnHTli„^, impl'i, 
EnEnSP, SPEC), then (A,impf^ oimpl,C,£imp( « “ « model for (HTSP, impl’^ o impl, 

EnEnSP, SPEC), where C/(^mo( ° Si«w«')=(C/ s,«^»,)/ ^mpt- I 


(•) 

SPEC 



Proposition 3.3 Let HTSP and HTSPl he two typed specifications of a and Oi, respectively, and 
o-^ai. If hath HTSP and HTSPl can he implemented on SPEC, then there are enrichments EnSP 
and EnSPl of SPEC, and implementations (HTSP, irtrpi, EnSP) and (HTSPl, impli, EnSPl), 
such that diagram in Figure 1(h) commutes on Kf,,, where h is an inheritance morphism. | 
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4 Complex Classes and Their Inheritance 

In this Mction we fomudise the concept of complex class and inheritance on these classes in the 
framework of implementation studied m the last section. 

A complex class specification for a type HTSPvs an implementation CL=(HTSP, imp, SPEC) of 
HTSP by SPEC. A model M of a class CL=(HTSP,tmp/,SPEC) is a model of the implementation. 
An object of type tr in CL is a pair (a,b) for and b an object of p with impl(a) = I, where 

{ is the poset including b in the congruence. Given two typed specifications HTSP and HTSPl 
of e and oi, r^ectively, and two classes, CL=(HTSP, impl, SPEC) and CL1=(HTSP1, impli, 
SPECl), we said that CLl is an inheritance extension of CL if SPECl is an enrichment of SPEC; 
and if for each instance component k e K", hoimpl{k) e implt{K“^), where h is the inclusion 
morphism from If’’ to and for each meta-meth^ a in K’, there is a meta>method fi in K”' 
such that impli{0) is compatible with imp/(a). 

Propoaition 4.1 Let class CLl—(HTSPl,im^i,SPECl) be an inheritance extension of class CL 
=(HTSP,impl,SPEC). For a model M=(A,impl, B,=) of CLl, let N=(A',impT,ff,= ) be obtained 
from Ad by replacing by ir* U of and replacing p® by p® U p®, then N is model of CLl, where, 
p and Pi are the central sorts <n SPECi^pt and SPECUmpix, respectively. | 

Propoaition 4.2 WiUi the conditions above, let N=(A‘,impP,B',= ) be obtained from M by re¬ 
placing by erf and replacing p® by pf. If a is strongly inherited by Oi tn A, then N %s a model 
of CLl after compatibly adapting a to r in A. | 

Similarly, these properties mean that objects of an inheriting class are objects of the inherited 
class. 
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1 Introduction 

The overall um of this paper is to stabilize and strengthen the algebraic specification 
method to software engineering and development. We do not introduce new theoret¬ 
ical results, but define a conceptual model, i.e., an information system schema, for 
the well-established algebraic specification language ACT ONE and its accompanying 
specification environment. Exiking specification systems like ASSPEGIQUE [BC85], 
RAP [HusSS], ACT (Han87), OBJ3 (GW88] or OBSCURE (LW911 provide mecha- 
nisms to store and retrieve specifications and t<' op^te on them. But in general 
(the OBSCURE system seems to be an exception) they emplpy no systematic ap¬ 
proach to information administration. Usually th^ rdy on storage facilities of the 
underl}dng programming language and file system. A solution to the information 
handling problem is the use of information systems or more specific databases. They 
are already accepted as being importcmt components of software development sys¬ 
tems, and, since specification systems can be regarded as parts of general software 
development systems, the same arguments apply to them. 


2 Applying Database Technology to Algebraic 
Specifications 

The application of databases to construct systems for specification languages leads 
to certain requirements: (1) Since specifications are structured entities, the database 
must be ciq>able to deal with complex objects in a coherent way. This requirement 
suggests not to emplqy relational technology. (2) Since the specification task has an 
interactive nature, the system must be cs^ble to deal with incomplete information. 

*Woric reported here has been partially supported by the CEC under Grant No. 6112 (COM¬ 
PASS) and BMFT under Grant No. 01 IS 203 D (KoaSo). 








It must support different degrees of incompleteness and should enable mechanisms 
for automatic tool invocation if the state of completeness changes. 

In our approach, we apply know-how of the database field in the area of algebraic 
specifications. The development of algebraic specifications describing software sys¬ 
tems of practical relevance usually results in large sets of related specification units. 
These units arise fiom the decomposition of complex specifications into smaller pieces 
means of the structuring mechanisms provided 1^ specification languages. Addi¬ 
tionally algebraic methods and especially specification languages give rise to a bulk 
of information like proofs, formal transformation steps, formal relations like signature 
morphisms, etc., which have to be stored to be accessible by various tools. 

Here we show how a concrete data model, namely the object-oriented data model of 
TROLL light [CGH92], can be used to support the algebraic specification language 
ACT ONE. However, the concepts used are general enough to support other speci¬ 
fication languages as well. Therefore, we feel the design of a conceptual schema for 
ACT ONE is mainly a case study in employing a semantic data m^el for database 
support of specification or programming languages. The approach chosen is gener¬ 
al and can be used for other languages as well. It is therefore a proposal for the 
consolidation of environments for algebraic specification languages. The definition 
of the database schema is done means of TROLL light, a specification language 
for objects developed recently within the KorSo Project. TROLL light, a dialect of 
TROLL [JSHS91], allows to represent structure and behavior of conceptual objects. 

It is designed to describe the universe of discourse as a system of concurrently exist¬ 
ing and interacting objects. As in TROLL object descriptions are called templates 
in TROLL light. Because of their pure intensional meaning templates may be com¬ 
pared with the notion of class found in object-oriented programming languages. In 
the context of databases however, classes are also associated with class extensions so 
that we settled on a fresh designation. Templates show the following structure. 

TEMPLATE name of the template 
DATA TYPES data types used in current template 
TEMPLATES other templates used in current template 
SUBOBJECTS slots for sub-objects 

ATTRIBUTES slots for attributes 

EVENTS event generators 

CONSTRAINTS restricting conditions on object states 
VALUATION effect of event occurrences on attributes 

DERIVATION rules for derived attributes 
INTERACTION synchronization of events in different objects 
BEHAVIOR description of object behavior by event-driven sequential machines 
END TEMPLATE 


3 ACT ONE Types Described by TROLL light 
Templates 

We cannot go into the details of our design of the ACT ONE environment or into the 
details explaining how TROLL light can be translated to the object-oriented database 
system [LLOW91] used in the Braunschweig KORSO project. But in order to give a 
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feeling how the design looks like we concentrate on ACT ONE types. An ACT ONE 
type is represented in TROLL light by a template (or object t}rp>e) characterizing its 
static and dynamic properties. 

The template Type given below has the following attributes: Mane - Name of the type. 
Text - Tbxtual representation of the type provided by some editor. UsedHaaes - List 
of used type names. CfCorrect - Indicates whether the textual representation has 
been chected ^tactically, i.e., whether it is context free correct, and a syntax tree 
has been built. C(»plete - Indicates whether all types in the UsedManes list are in 
the database. Flattable - Indicates whether a flat representation of the type can be 
computed. IsFlat - Indicates that a flat representation is available. UsedTypes - Set 
of used and actually existing types. Syntax - Object-valued attribute describing the 
syntactical appearance of the corresponding type. This attribute may be undefined 
and will be defined after successful context free analysis. Flat - This attribute 
describes the flat representation of types. It may be undefined and will be defined 
after successful context sensitive analysis. 

In contrast to the attribute UsedNanes which contains a list of type names necessary 
for context sensitive analysis, but which may not be already existing, the set- and 
object-valued attribute UsedTypes refers only to those types which are cunently 
existing. 

TEMPLATE Type 

DATA TYPES String, Bool; 

TEMPLATES Type, Typeexpr, Pspec; 

ATTRIBUTES Haae:string; Text:string; 

U8edNaBes:LIST(8tring); CfCorrect:bool; 

DERIVED Complete:bool; DERIVED Flattable:bool; 

IsFlat:bool; UsedTypes:SET(type); 

Syntax:typeexpr; Flat:pspec; 

EVENTS BIRTH create(InitName:string,InitText:string); 

changeText(NevText:string); 

DEATH destroy; 

CONSTRAINTS DEF(Nane); DEF(Text); -- (Rl) 

CfCorrect IMPLIES 

(DEF(Syntax) AND DEFCUsedNames)); — (R2) 

VALUATION Ccreate(N,T)] Name-N, Text-T; 

DERIVATION Complete - 

(^Correct AND 

(FORAU (N:LTS(UsedNaae8)) 

(EXISTS (T:UsedTypes) 

(Hame(T)»N AND CfCorrect(T)))); — (R3) 

Flattable * 

Complete AND 

(FORALL (T:UsedTypes) IsFlat(T)); -- (R4) 

BEHAVIOR 
END TEMPUTE; 









In the template certain requirements concerning ACT ONE types are formulated as 
constraints and derivation rules: (Rl) A type must have at least a name and a textual 
representation. (R2) If a type has been checked syntactically its syntax tree and use 
list must be available. (R3) A type is complete if all used types are already existing. 
(R4) A type is flattable if aU its used types are already flat. Please note that arbitrary 
events are possible in our approach. We could even have events like contextFree- 
Analysis, conteztSensitiveAnalysis, or conputeFlatRapresentation. 


4 Conclusion 

Although our approach was inspired by [BCC90] and we tried to describe the same 
problems, our approach is quite different. In [BCCdO] the design of the specification 
database of the ASSPEGIQUE environment is described by means of the algebraic 
specification language PLUSS. They employed a general specification language and 
presented a rather long specification describing certain states of incompleteness of 
specifications. Because we employ a powerful data model we are able to describe the 
same affair in fewer lines. 
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A Formal Definition of an Abstract Prolog Compiler 
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1 Motivation and related work 

In the laat yean, the importance of logic programnung languagee haa been increaaed. For logic laaguagea we could 
undmtand not only PROLOG but alao aeveral languagea that uaea logical componenta (deductive inference aa opera> 
tkmal aemantica, unification, backtracking, etc.)- Probably, the development of efficient implementation techniquea for 
PROLOG (the canonical element of theae kind of languagea) ia an in^ortaat conqionent of their aucceaa. 

The contribution of Warren [Wa83] with the derign of an abatract machine pointa out the poaailnlity of compiling 
PROLOG and getting efficient code. Moat of current PROLOG aya te ma are baaed on the reaulting machine, uaually 
called the WAM (Warren Abatract Mariiiae). 

Even though there are formal deacriptiona of the WAM (aee [Ku89],Ru92 and, apecially, [BR92]) the explanationa (for 
inatance [GLL085], [MWU], and, beat of all [AK91]) do not aeem to approximate the re^er to a good underatandable 
view. 

For our point of view, we think that it ia poaaible and neecaaary to reinvent the WAM. Thia claim can be eaaily 
juatified with the following worda: a new and more clear view muat be offered about compilation of PROLOG, but it 
muat not be a collection of inatructiona bring executed on aa memory atack. 

In thia p^icr we preaent an abatract view of the WAM by a formal dcacription. For an abatract WAM we underatand 
a deacription of the WAM focuaed in how: a) it implementa SLD-reaolution with backtracking and b) the main elementa 
of PROLOG (unification and backtracking) can be conquled. We are not intereated in implementation detaila and 
optimisationa. 

The componenta of an abatract machine are the following: 

e the data area which definea the eonfig*rmtia% of the machine; 

e the matraet*ea aet and a aemaatsc /imettea for each of ita elementa (defining the changea on the configuration after 
executing an inatruction); 

a the framtUio* fametio* between an initial and a final configuration which ia guided by the aemantic function of the 
inatruction bring currently executed; and 

a the traniUtion faneUo* which compilea a program into machine code. 

Abetract data typea (ADTa) can be uaed to deacribe theae componenta, while the aemantic function ia defined in terma 
of the operationa of the ADTa. 

FurthernMre, thia definition ia the middle point of a more ambitioua project: The abatract WAM can be derived 
from SLD>reaolution, the operational aemantica of PROLOG, by atepwiae refinement. Furthermore, the whole WAM 
can be derived from the abatract WAM by aupplying efficient ADT implementationa. Notice that the framework ailowa 
to manage both atepa, by refining the data area (in the firat atep) or by refining ADTa implementation. 

An executable and viaualixable formal apedfication would point out the aucceaa of the design deciaiona taken by 
Warren in the compilation of PROLOG and could made them ^tplicable to other logic languagea. 
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2 The Abstract WAM 

2.1 Data Area * 

This section informally describes the abstract WAM. We are uring an OBJ-like language for the specification with some 
rinqtle modifications in <»der to make it closer to the object oriented ^>proach and to simplify the specification. For 
inatance, if an ADT a is just the aggregation of some different ADTa Sx, ..., a^ (what w very often) we allow to use 
operations of Oi as operations of a without writing them in a’s apedfication. We also allow the use of operationa as 
arguments of other operations. Due to the lack of space we will only present some examples of the formalisation. Figure ^ 

1 shows the basic ADTa SET and STACK used later. 

As shown in figure 2 the data araa is formed by the WAM>program, or>atack, the argument registers and the heap. 

L«t US discuss each element with some detail. 

e The |»ogram contents a labeLiadexed array of WAM-instmetions and a program counter, which is a label. 

'DcpwUimmlo LSIIS, Facnltad da l af o m S tic a. Caapos da Mnot a s a nr adn, BoadiUa dd UaoU, M660 Madrid, Spam, aaaaO: ^ 

CiiiliinJiiiaaaiMi]<fl ii|Bii aa 
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a 


adt SIT pc : almaatl ia 

adt STACnC pt ; daamt] ia 

aoet aat 

aort atacfc 

apacatlaa baart: aat daaMBt -> aM 

apaaatiaa lavtrttack: -• atack 

apaaatiaa Itmova : aet afaataau -• aat 


anatatlaa € : alaaaaat aat -* bool 

apaaatiaa Pep : atack -• tUA 

apaaatiaa • : aat 

apaaatiaa blaaptr : atack -• bool 

apaaatiaa JU. : aat aet -• aat 

apaaatiaa Tap : ataA -• alamant 


apaaatiaa MadJTop : atack (alamant-* danmat) -• atack 

ttcions 


vaaa i,j : alaaaaat 

adaiBa 

var 5 : aet 

var 5 : atack 

vaaa A,B : aet 

W « : ilnmt 


w / : akiMBl -« tlonMit 

Iaaaat(hMaat(S,a).i)>foaaat(laaaat(5,i),0 Ift <> i 


Haaaaaa (haaat (5.a).i) « Raatwa (5.i) Ifiaai 

blaaptr (BaiptrStackO) s tana 

Ramaa (laaaat (5.t).i) « baaat (llaBu^5,»,a) Ift <> j 

hlMapty (Paah (8,a)) « fake 

Ramva (t,t) a • 

Pop (laaptyStaik (5,a)) s anor 

i € baart (S,t) ■{•»=>) aa (i € S) if(t<>i) 

Pop (Paah (5, a)) « 5 

-a€# 

Top (Paah (5,a)) m a 

*€(duB)>(il€a)ar(Bci) 

UodJlbp (Paah (5.a)./) . Paah (5,/(a)) 

aadadt 

aadadt 


Pi(UK 1: The AOTi SET and STACK 



Figute 2: The Abatiact WAll conqwnenU 


• The argument regiatere are collected in an array of heap pointera. It ia uaed for parameter paanng during clauae 

application. The ADT argument regiatcia ia a rim]de of the baak ADT ARRAY. 

• A atack (called or>atack) ia uaed to traverae the leaolution tree with a depth firat atrategy. The or-atack ia defined 

by inheritance after the ADT atack with dimce point aa componenta. 

• Choice pointa are uaed to atore the information n ee d ed for ^qdying any clauae to a predicate call. There arc 
aeceral ^>plicable clauaea, ao thia information could be rcuaed aereral timea. The ADT dunce p<nnt contenta a 
copy of the argument regiatera (argumenta of the predicate call), the local trail (uaed to record variable bindinga 
in order to undo them after bat^racking), the program addrtaa of the next clauae and one and-atack. 

e A traU ia a aet of variable namea, aa ahown in figure S.* 

• Aa before, we get Um and-atack after an inatnntiation aiul inheritance from STACK with environmenta aa elementa 
(aee figure 3). 

• An environment ia uaed to perf o rm the ^rpBcation of a pvcn claua e to a predicate call. For thia purpoae, it 
containa the continuation label (beginning of the code of the next predicate c^) and the vatiablea of the clauae. 

• The ADT variaUe b defined together with the ADT heap. A variaUe ia a pair (variable name, he^> pointer). The 
heap ia uaed to r e preaent PROLOG terma ia clauaea and goala. A h«^ ia a t^e with a pointer aa key and each 
elermt ia a term: a conataat, a conatructor with aome heap paatcta aa argumenta or a variable name. 
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‘Notice that the 































•itTRAlLia 

MrtMMilag SET [VARJIAkm tnU 


*d« ENVIItONlllINT b 
mam VARIABLES WAMJ>ROaRAll 


Co—HXF (CmM (•»«. CP)) m CP 
Co^wllXP (Madi^rJCP (B.CP)) « CP 
CoMoU.Var (CnaU («««, CP)) * Uabeiuid 
CoMrit-Var (UadKy.Var (E.n.X)) « X 

•adaAt 


opwstiM CnaU : aat i«ag.^ddr -• mamammat 

tlo» Modil^XP : — w wm i u t img.addr -• mwinnmt 
t l« » CoMobXP : mwnii—I -• prnt aiMr 
■IWftto w Modi^.Var : wnranmnt aat wiahlt -• antrirnamU 
ana tat la a Caaauh.Var : aaTirnntnrt aat -• aariahW 


adt ANDXTACK b 

astaadiac STACK (ENVOtONMENT] aad.atack 
aadadt 



adt ORJTACK b 

aataadlac STACK {CHOICE] aadjtadi 


maCP : ptBg iiMi 
mrX : «ariabb 


Figuic 3: ADTi BNVIRONIIENT, TRAIL, AND-STACK and OR.STACK 


2.2 Semantic i^nction 

Wt wiU not give the complete inetruction aet, but one can found (a part of) it in the next eection where the tranelation 
Auction ia dienieeed. 

The acmantic function ia a "«»pr*"g b e twe en a WAM-inatruction and a data area into a data area, i.e. qtecifiea 
the modification in the data area after executing a given inatructum. The apedfication ia the compooition of aeveral 
(qietationa of the data area co m pooenta. Kgnie 4 ahowa the apecHifation of the aemantic fiuction of a couple of 
inatructiona. Fhr inatance, the try jnejtlae inatmctton tewinda the trail of the moat recent choice point (by uaing an 
ope r ation of the ADT or-dtack), etocee the label of the next alternative, initiaMere the choice point fw the next clauae 
^>|dicatioa and incrementa the program counter. 


WAIdJVo y 


(OOAL) 

(PROCfai)) 

(Pftocfa.)) 


(PROC (p) • {Ct» r li.i rt Pi.i (C) 

(PROC (p) m {Ct.C,)) » 

*ry ■ ■ Jil (a. (fa^)) 
> he.U w .(CO 

(leM,); ratrpmajOm (labd,) 
daaaa^iCa) 

<W»b>: 


(P[0 > % (*)»;%U»»)) » 

■MftbemfO 

bieeRNi w i(%.ier(t)) 

edi (<«).«<«(«)) 

aeiwft»» e -(ee.^C».«i» 

•eB((*>.«iir(«)) 

bemftrbeM (am, mm (t. ..••-i)) 

«aB«*>).ari^*t}) 


El: WMoJealtwcdao x WmaJtata WamJtata 

m ibyj>e.dbe {L)| van biU » 

(PeAfeem dill 


SI Iw l ry j 


(Raabtan (we m b e te ). (L), 
C»eeahJ*PJiey (» 


>(L)i4 


(Ra«MA«aJtepjOr-StaiA 

(WwrtXlwi—.Trip Or-SUch 
(v«n^,(L»)) 



(Tbp (ve m i HH ), 
Or—ti Rnvirieimi 
(b, Cc—ehJCP (' 


))))) 


(Set^ (— CeoNltXP (win it«t«))) 


SI iMUnlei Xal 1 


i(SM.Val(« 


Cq—Ii.Vt (Tbp (Top (wm wtf)),n))) 


and Semantic Fhaction 













2.S IV’uulation fraction 

Tte tnnaUkioo (unction ipodfiM how PROLOG code ie compiled into WAM code. It ia dcKribed by umng eo me 
•ludliniy ftinctions. PiguN 4 dee cri bee the compilation of a PROLOG program ae the compilation of the goal and 
the pracodurea (rleiiwe (dr a given predicate). A procedure need* eome code for the management of backtracking 
(tryunejelae, retryunejelae and truat-mc inatructiona) and the com;»lation of clauaea. Clauaea arc tranalated by uaing 
the mifytnuu and trnnit/Wrtreaa achemaa and particular inatructiona. 

S Conclusion 

Although it ia not the »"*■" goal of the p^>cr, let ua aay aomething about our derivation of the WAM. It ia carried out in 
two big atepa. The firat etep ia the derriMitas a/ the mata eiementa a/Ike WAM. We have not apace enough to dcacribc 
all the refinement atepa. So, we would only mention aome important pointa. 

'Hm imliminary madiine ia a atack baaed deacription of SLO- r eae l uthm aolving literala from left to right and uaing 
the clauaea in textual order. The atack atorca reaolution atepa containing the current goal (a liat of literal atarting with 
a predicate call p), the aufaatitution of the atep and the next clauae of p to be uaed. Them reaolution atepa are called 
choice pointa. 

Now, code could be uaed to codiiy goala. The goala in the choice pointa arc replaced by aome argumenta regiatera 
and the continuation program label. A program label replacca the next clauae. 

Next atep ia the compilation of aubatitutiona. The he^ allowa to r ep r eee n t aubetitutiona aa a aet of paira (variable 
name, heap pointer). The aet includea the veriablca bound during the leatdution atep (choice point). 

One couM notice that the number of variaUea bound ia a reaolution atep ia unknown in advance. However, it ia 
poarible to give namca to the local variablea at the clauae during the compilation proccaa. The choice point could be 
rceponaible of collecting the Mndiaga of the local variablea. Nonlocal variable bindinga are “remembered” into a local 
trail. Friun the point of view of SLD-reaolution the trail helpa in the reconatruction of the atep aufaatitution. Fri>m the 
machine viewpoint, it ia needed to rewind variaUe bindinga after backtracking. 

Furthermore, in the caae that a predicate haa only one clauae, a full choice point could auppoae a waate of memory. 
It can be aimplified in an environment with only local variablea and the continuation label. The and-atack keepa all the 
environmenta belonging to a choice point. 

Aa a final atep, term repreaentation into the he^ and the parameter p i aa in g mech a ni a m could be refined by ua in g 
apedaliaed machine inatrucUona. Theae inatructiona have the reaponailulity of conatructing or unifying terma (conatant, 
functor or variable). 

With thia derivation we obtain the Ahttraet NUMdeacribed before. The reault enhaneca the abatract behaviour of 
the WAM without knowing implementation detaUa. The data area ia configured with aome abatract data typea that are 
not fully implemented but the implementation muat frilfil aome axioma. 

Aa a aecond big atep, we can make the aptsmuatwa of thia machine. The optimiaationa are performed in the aame 
framework. Some optimiaationa ariae from f^her refinement of the data area (for inatance u a in g a global trail inatead 
of a local one). Other onea from the concrete implementation of the abatract data typea: iixq>lementation of the heap 
aa a atack, optimal memory allocation of the data area aa contiguoua memory areaa, etc. Finally, the aemantica of the 
inatructiona could alao be optimiaed aa in the laat call optimiaation, the environment trimming and ao on. Aa a reault 
we get a formal deacription of the WAM aa deacribed in [AK9I]. 

The derivation and the Abatract WAM could help to undeiatand the compilation of PROLOG. Moreover, they are 
uaefiil to noodify the machine design to implement new "logic languages” (in a general sense). The WAM have been uaed 
as a basis for the implementation of several declarative languages and ajrmbolic computation systems; integration of 
functional and logic programming, constraint lope programming, lope propamming with types, modules and contextual 
information, etc. The designer of a new w***-***"* could diverge tern tlw WAM in any point of the derivation where the 
new language ia different. The step by step specification has another advantage. T^ verification of the correctneaa of 
the WAM is simply obtiuned by proving equivalence between every machine and the following. 

The Abstract WAM (or a simiUr attract maciune) is easy to implenoent and test. In this sense we alao plan to 
a computer visualisation of ail the inoceas. A firat prototype [GM92] is ready and we expect to complete it so<». 
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1 Introduction 

The notioD at cfaaltoaaf de/laiti«a« after prtiefimed elgehras (EDPA) waa introduced 
in [3] in order to fbnnaliM the following rather wideapread aituation: given a data 
type D with a aet of (predefined) funetiona 27, a aet of new (poaaibly parfiai) functiona 
F OD D» apecilied by a aet if ‘^uraive e<)uationa” of the form 

m .f«) = t (1) 

where / € F and fi,... ,fa,f are tenna over the aignature E + F. 

The cooatruction coveta a variety of known particular caaea from both mathema- 
tica and computer acience. Firai-order functional programa over predefined (builb-in 
or “abotract”) data typea form a particular claaa of funeiiomel EDPA - in thia caae 
A is an F-indexed family ci equationa (1) where fi,... ,f|, ia juat a liat diatinct 
variablea. One can ako recollect partial recuraive definitiona of arithmetic functiona 
(over the algebra of natural numbera), term-rewriting a^tena over built-in algebraa 
[1], or another EDPA of a more general form. E.g., the following two equational 
definitiona over the algebra N of natural numbera with uaual operationa are intended 
to define (a) the greateat common divkor and (b) the integer divkion: 

(a) gcd(0,a) • n; ged(a,a) ■ gcd(n.n): ged(w*a,a) • gcd(n,a). 

(b) dlvfn.wm-*'!} • 0 : div(B>a,a} • 1 div(n,a). 

Here ged k preaumably total, while dlv aeema to be partial, but it k a matter of 
aemanfiea to aay preciaely which functiona on N are d^ned by theae equationa. 

In [2,3] we have been developing elfthreic aemantica* of EDPA in order to make 
it poaaibk to uae equatkmal logic with induction and correaponding term rewriting 
techniquea for reaaoning about functiona defined in thk way. A natural approach 
to thk taak k to repreaent the equational definition (1) aa an enrichment (conak- 
tent, but not neceaaarily compkte) of aome algebraic apecification SP of D. Tbe 
main point here k to enaure that any correct apedfication of D providea Ike aame 
aemantica for a given aet of equationa R. To meet thk natural requirement, we have 
introduced in [3] a flexible kind of algebraic preaentationa which leada to a ao-caUed 
aa/e aemantica of EDPA. In the next section we briefly reproduce thk conatruction 
and then turn to the aubject of compUteutes at EDPA. 

* Short vetaion 
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2 Algebraic Presentations and Safe Semantics of EDPA 

Ill whst follows, A denotes s (predefined) over sn 5-sorted signature i7o, 

To 4 F >> s (signature) enrichment, and A is a set of To + ^-rewrite rules (oriented 
equations) of the form (!)■ Then the quadruple (So,A,F,R) (denoted also (F,R)a) 
forms an epfUonal definition (of F iy R) over A. 

To define semantics of EDPA means to set a correspondence between the quadru¬ 
ples and teste interfretniione at F - sets of partial functions 

= l/e/’,.„io€S*. s€S) (2) 

which is to be in a proper logical relation to to the set of equations R. 

To do this, we use algebraic specifications in a slightly generalised many-sorted 
language where the set X of vari^les used in axioms contains a distinguished subset 
A’’*’ of se/e variables (then the variables in A\X'*' are called nnooft). We write E(X*) 
and SP(X*) to reflect the fact that some of variables in the set of axioms E of the 
specification SP are safe.^ 

Definition 1. Let SP{X*) = {E,E(X*)) be an algebraic specification (called a 
taste one) A in the sense that IT is a finite enrichment (or extension) of Ea and 
the i7o-reduct of the initial model I(SP) is isomorphic to A*. Then 

- the enrichment SP'(X*) = SP(X*) + (F, A) is called an nlgeiraic preeentation 
(with sa/e vnrinilesj of the EDPA (A, A)^; 

- a iT -b A-subatitution : X Tc+f(X) is called safe if fi(X*) C Tc(X*y, 

- a restricted eongrnenee on the ground term algebra Tj:+r i* the least one 
generated in a standard way by the set of equations E(X*) U A using only safe 
substitutioiu; 

- the quotient Tsp‘(x*) = “ • (etondard) model at SA'(A'*’); 

- the presentation (enrichment) SP'{X*) is called 

a $afe-eonai$ient if the i7-reduct of its standard model contains a subalgebra 
isomorphic to I{SP) (i.e., to A); 

a $afe~eomplete if each congruence class (t]B:A of T 5 P>(xa) contains some E- 
term; 

a eafe-penutent if it is both safe-consistent and safe-complete. 

Proposition 2 (cf. [3]). If ike presentation SP"(X*) is safe-consistent, then there 
exists the basic interpretation ofF on J(SP) (and so on A) defined as follows 

for each f € F: 

1<i]b, ... ItmU) = [ m ..... t„.) ]b:J» n Tr (3) 

for all tuples tj,..., tm of ground E-ierms of appropriate sorts provided the right- 
hand side is not empty, otherwise is undefined on the arguments. Moreover, 

the enric&metit of 1(5P) with Ft(5/») g partial subeigebra ofTsp'{x*)- D 

* The presence of safe variables in E doesn't change standard algebraic semantics (and 
logic) of SP. 

* For the sake of simplicity, we shaD identify the predefined algebra A arith the initial 
algebra I(SP) - forgetting about a possible difference between their signatures. 



Ao important problem coining from thia construction is to characterise syntac¬ 
tically a claaa of bask specifications providing sale-consistent presentations (and so 
algebraic semantics) for any functional EDPA* The following sufficient condition is 
a generalisation of our previous results on this topic7 

ThooremS. An nl$eirnic presenintion SP(X*) -f (F,R) of the fnmetionnl EDPA 
{F,R)a ** se/e-coasulcat if enek axiom I ~ r of SP(X*) aaiisfieM tht folhwing 
condition: any variaile occnrring non-linear in I or r is safe. □ 

It is worth noting that presentations of this kind (wtlA safe non-linearitp) allow to 
use safely ininetive equational theorems' of SP lor proving theorems about new 
functions, because the basic interpretation (3) is consistent with all such equations 
valid in the predefined algebra A. 

Now we to turn to the safe-completeness property in order to investigate a class 
of (sale-consistent) EDPA defining total functions. 

S Safe Completeness and Persistency of EDPA 

A complete EDPA is supposed to define a total basic interpretation F'* (i.e., con¬ 
sisting of total functions /**). Regarding algebraic presentations with safe variables, 
one can check that the basic interpretation delink by (3) is total iff SP‘(X*) is 
safe-persistent. Combining this with Theorem 3, we obtain the following corollary 
for the class of preaentations SP*{X*) with safe non-linearity of functional EDPA: 
the basic interpretation is total iff SP'(X*) is safe-complete. 

To go further, one can vary the set of safe variables in SP‘(X*) to obtain a 
spectrum of restricted congruences models Tsphx*)% basic interpretations 

pi(SF) Iq the extreme case when X* = fl, the presentation SP' becomes just 
a many-aorted enrichment and Def. 1 yields the usual “unrestricted” or “unsafe” 
notions of the least congruence consistency, completeness, and persistency. 

In general, =:£:a >> weaker than sg+R, eo consistency implies safe-consistency and 
safe-completeness implies completeness, but not vice versa. We have proved the 
following facts about the relations between these safe and unsafe properties. 

Theorem 4. If the presentation SP'^X*) is safe-persistent, then its unsafe version 
SP' (wttk X* s %) is persistent and defines the same (total) kasic interpretation 
as lue first one. In particmlar ease of functional EDPA, safe-completeness of the 
presentations with safe non-linearitp implies persistenep of SP". □ 

However, the coverse is not true: 

Proposition 5. There exists a functional EDPA and its (safe-consistent) presenta¬ 
tion SP'(X*) with safe non-linearitp such that the latter is not safe-complete, but 
becomes persistent when X* = f. □ 

* because any foactional enatioaal definition admits well-defined denotations] senmantics. 
^ cf. Theorems 10, 11 in [3]. 

* whose non-linear variables are also safe. 
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Thk 0 iMBa Uiat tometiniM the eefe noa>liiie«rity requirement is still too strong snd 
gives rise to s psrtisl bssk interpretation when it could be total - if all the variables 
were made unsafe. However, the following proposition demonstrates the opposite 
effect: 

Proposition 6. There exists s funeiionsl EDPA (P,fZ),s with s ssfe-eomststeni and 
net ssfe~compkte presenistion SPiX*) such that its snss/e eerstoa SP" is complete 
and inconsistent ($o can’t provide any issic interpretation F’*). □ 

To put another words, jnnk can he the reason of confusion ~ if one doesn’t protect 
smnehow basic axioms from it. The results of this paper show that the safe non¬ 
linearity condition is sufficient to provide such a protection for functional EDPA, 
but still is not always necessary. It is an interesting open problem to find a proper 
weakening of the condition which would hold any SP'(X*) safe-persistent whenever 
SP' is persistent. 

4 Related Work 

A simple and elegant approach to partial algebras within the usual framework of 
many-s<»ted (total) ones has been suggested in [4] in terms of based specifications. 
Out Def. 1 and Prop. 2 would give essentially the same semantics if we restricted 
ourselves with only unsafe presentations (with X* = 0). But this would give rise 
to the problem with consistency pointed out in Prop. 6 (cf. also the “instructive 
example” in [3]). 

Algebraic specifications with built~in algebras introduced in [1] are very similar to 
EDPA, but their semantics was defined through “completely protected” presentv 
tions SP{X*) with X* = X (cf. also stratified specifications in [5]). This is another 
extreme case which captures only predefined algebras with strict operations and 
gives rise to certain problems with completeness (Prop.5). It would be interesting to 
try to extend the term rewriting theory presented in [1] to the more general class of 
presentations with safe non-linearity. 
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1 Universal Algebras, Model¬ 
ing and Software Engineer¬ 
ing 

Our research uses uaiversal elgebraa in a model- 
baaed approach to the software engineering proceea. 
We organise the analysis, design and iiiq>leinenta- 
tion of software systems by combining the paradigms 
of mathonatical modeling and universal algebras. 
Models based on mathematical modeling prindples 
and represented using universal algebras provide a 
practical alternative to both the common, sd hoc 
approaches to the software engineering process and 
other object-oriented methods. We have used univer¬ 
sal algebra models to support the development phases 
of the software engineering process. Algebraic models 
unify many of the current object-oriented paradigms 
as well as defining another paradigni fat object- 
oriented software engineering. Our results support 
using algebraic methods as a foundation tot the soft¬ 
ware engineering process. 

In this paper, we first describe the siinilarities be¬ 
tween mathematical modeling and the software engi¬ 
neer’s task, and then describe how to use these simi¬ 
larities to develop a software engitteering process that 
starts with algebraic modds of the real-world system. 
We define the software engineering process as the re¬ 
finement of these models. We show how these univer¬ 
sal algebra modds are developed during the analysis 
phase, refined during the design phase, and used dur¬ 
ing the implementation phase of a software project. 
Our modeb are alio used during the maintenance 
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phase to provide design and implementation infor¬ 
mation. We show evidence that this paradigm for 
devdopment is good and useful. Our work devdops a 
general, algebraic model-based implementation tech¬ 
nology. We believe these steps provide advantages for 
software engineering and define a viable alternative to 
present software engineering technology. 

2 Mathematical Modeling and 
the Software Development 
Process 

The fundamental principle underlying our work is the 
idea of a model in both the epistemological sense of 
Minsky [MinfiS] and Naur [Nsu85^ and the system 
modeling sense of Zdgler [Zei76] and Casti [CasfiS]. 
The purpose of a modd is to represent infemnation 
about a system. The modd uses a formal notation 
to represent the information internalised by a pro¬ 
grammer about the system. In our case, we use uni¬ 
versal algebras as the formal notation for our model. 
We agree with Naur [Nau85i^ that aU systems are 
understood by programmers in terms of some inter¬ 
nalised modd but rep re sen ted in some externalised, 
formal notation. As Naur points out in [NaufiSb] and 
{Natt89], good notation encourages the internalisation 
process The ability of a programmer to answer new 
questions about the modd demonstrates that infor¬ 
mation has been internalised. We recast the software 
engineering problem as the devdopmoit and trans¬ 
mission of algebraic models with thdr accompanying 
notation from one group to another. 

An imp<»tant advantage of employing algebraic 
models is the d>ility to use the theory of modeling 
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as in Zeigler [Zei76] to develop and define terminol¬ 
ogy and use the theory of universal algebras as in 
[Meh90] to describe the development process. We 
use Zeigler’s ^proach for model development as the 
starting point for our work. Zeigler defines the model 
building process as a series of fi^'e steps: 

1. identify the components; 

2. identify the interactions between the compo¬ 
nents; 

3. simplify the model; 

4. build a computer simulation of the model; and 

5. validate the model 

Zeigler’s approach, by focusing on the objects visi¬ 
ble to the modeler, embodies the fundamentsJ ideas 
of object-oriented software engineering. Further, the 
use of universal algebras to represent the models pro¬ 
vides us with a notation that is both concise and 
flexible enough to describe various software systems. 
Even computer languages like SIMULA67 [Dah72], 
developed for modeling, use the concepts of univer¬ 
sal algebras to describe abstract data types as de¬ 
fined by the ADJ Group [Gou78] and Zilles [ZilSO]. 
The relationship between the theory of modeling and 
software engineering allows us to unify many of the 
model-based object-oriented software engineering ap¬ 
proaches. 

3 Software Engineering with 
Universal Algebras 

We now describe the steps in our algebraic software 
engineering process and then ( 4 >ply these steps to de¬ 
veloping a software system. We relate the steps in 
our process to the steps in the mathematical model¬ 
ing process and show how we can use the interpre¬ 
tation of universal models to describe the process at 
each step. 

Our initial or analysis model uses the customer’s 
description of the components to produce a qrstem 
specification using a universal algebra. Tse’s disserta¬ 
tion [Tse91] shows how we can use a diagram to com¬ 
municate with "'ie customer and represent all of the 
information in a universal algebra. The design phase 
refines the analysis model by introducing new objects 
and using the resources available to determine the 


concrete data structures and algorithms. This refine¬ 
ment is a homomorphic transformation of the anal¬ 
ysis model. The implementation phase converts the 
data structures and algorithms in our design model 
into statements in a progranuning language. Our en¬ 
tire process can be characterized in terms of universal 
algebra models and the universal tdgebra gives us a 
uniform notation for each step in the process. 

4 Case Studies 

We have used this algebraic approach in several sys¬ 
tems. The first, described in the 1984 POPL [Mil84], 
used an algebraic description of attribute grammars 
to generate Pcode from Pascal. We produced a 
more compact and understandable description of the 
Pascal-to-Pcode translation than the corresponding 
compiler from ETB Zurich [Nor76]. Although the 
underlying system, Paulson’s Compiler Generator 
(PCG) [Pau62^ limited us to a fixed set of primi¬ 
tives for building the algebra, we were able to de¬ 
fine domains and operations on those domains. Also, 
PCG was a decUniive system in that we only speci¬ 
fied local rules and PCG determined the sequence for 
applying those rules. This project showed a means of 
prototyping a language using a direct implementation 
of the ^gebraicaiiy described semantics. 

A second system, the Capture Storage Element 
(CSE) of the Optical Digital Image Storage System 
(ODISS), showed how we used an eJgebraic model to 
develop a system originally specified using another 
notation. ODISS also shows how the objects seen 
in the system by the customer are beneficial during 
development. That is, the software should reflect 
the way in which the customer perceives the tasks. 
ODISS is a distributed document storage system orig¬ 
inally specified using a data flow diagrams. The CSE 
provided intermediate storage for documents before 
they were written to optical disk. ODISS was devel¬ 
oped by Systems Development Corporation^ to digi¬ 
tize and store Civil War documents for the National 
Archives and Records Administration (NARA) of the 
United States. 

The algebraic model developed for the CSE was 
baaed on doc*menU, unlike the other subsystems in 
ODISS which were based on pages. The algebraic 
description provided the basis for the user documen¬ 
tation and the implementation (s« 17,000 lines of C). 
During the fifteen months of development and inte- 
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gration, only one integration error occurred due to 
misunderstanding the notation and only one serious 
error was found after delivery. Further, being able to 
examine the state of documents became a major tool 
during the integration phase of the project. After de¬ 
livery, one of the first requests from the user was the 
ability to query document status, and this capability 
was easily added. 

Since C is not object-oriented, the algebraic de¬ 
scription became a key rderence document during 
the development and permitted a ready assessment 
of the state of the implementation. Our experience 
with ODISS shows how an model-based algebraic de¬ 
sign, derived from another notation, for defining the 
interface and guiding the implementation of a soft¬ 
ware system. 

The third system we developed was a code opti- 
miser for a portable compiler, where we demonstrated 
how modeling produced a working system faster than 
other approaches. This work was done as part of 
an advanced course in compiler construction. The 
class divided into three teams. One team started 
with Peter Bird’s CoGG system [Bir82], another team 
used a simple parser-based tec^que, and we used 
modeling and simulation. Each team started with 
the portable BCPL compiler [RicSO] which had re¬ 
cently been ported to a Motorola 68000 system using 
a simple version of the macro expansion technique 
aescribed in Strachey’s GPM [Str65]. 

The hCPL compiler produces an intermediate code 
(called OCODE) for a stack-based virtual machine. 
The intermediate code changes the code generation 
problem from one of mapping a high-level language 
to machine code into mapping a low-level intermedi¬ 
ate code to machine code. One technique for code 
generation particularly suited for moping OCODE 
to a target machine is simulation. We used the sim¬ 
ple code generator as the starting point for our code 
generation model and used a universal algebra to de¬ 
scribe the simulation process. We used different sig¬ 
natures for the universal algebra to define different 
optimizations. The implementations differed in the 
amount of state information carried in objects in the 
system. Out of the three teams, each of which started 
with a working compiler, we were the only ones to 
have a working compiler at the end of the course. Our 
exploitation of the original code generation model by 
expanding its simple signature played an important 
part in our success. 

Out current work-in-progress is the Global Accel¬ 
erator Control System (GACS) for the Superconduct¬ 


ing Super Collider (SSC) Laboratory, a high-energy 
physics project being built near Dallas, Texas. The 
SSC will be the largest scientific instrument ever 
built. The proposed design for the control system 
has much in common with our algebraic models. The 
GACS will be based on EPICS^, a control system de¬ 
signed at Los Alamos National Laboratory. EPICS 
has many of the features present in our other mod¬ 
els. For example, the primitive objects in EPICS are 
classified based on the type of signal processed (bi¬ 
nary, analog) and the update frequency. This means 
that physicists using EPICS do not need expertise in 
writing device drivers or working with real-time ker¬ 
nels. The physicists sees a model of the accelerator 
described in terms familiar to the physicists. This is 
analogous to ODISS where a.e \rchivist sees a system 
that organises pages as documents which is the same 
way the archivist organizes pages. 

EPICS currently provides a control system for 
small accelerators throughout the United States. Just 
as in the BCPL optimizer project, the accelerator 
model provided by EPICS must become more so¬ 
phisticated to support the additional complexities of 
the SSC. We have proposed the same kind of alge¬ 
braic modeling approach used in the BCPL optimizer 
project as a viable means to expand the capabilities 
of EPICS to meet the requirements of the SSC. 

These systems show four applications of algebraic 
software engineering, all of which started with a 
model of the application described using a univer¬ 
sal algebra. Each of these systems used algebraic 
descriptions to develop the design and implementa- 
tion,and performed well with respect to various mea¬ 
sures. 
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An Automated Proof of the Correctness of a 
Compiling Specification 

E.A. Scott, Mathematics and Computational Sciences, University of Surrey, U.K. 

In this paper we discuss an automated proof of the correctness of a compiler. The source language 
for the compiler is PLq [8], a subset of 0CCAM2 [5]. The target language, MLq, is based on the machine 
language for the transputer [6]. Since the early work of Cohn [2] in the LCF system, compiler proofs 
have attracted a lot of attention as test crtses for automated theorem provers, see for example [11] and 
[12]. Recently Broy [1] has used the Larch Theorem Prover to verify a code generator for a functional 
language. Our work differs from earlier studies in that we start with a detailed hand proof of compiler 
correctness and attempt to use a theorem prover to verify the proof. 

The Languages PLo And MLo 

Intuitively, we expect to call a compiler correct if for all programs p, p and its compiled version have the 
same meaning. However, to give any kind of formal proof we must first formally define the semantics of 
the source and target languages. We use the approach that was developed in [9] and [7]. The basic idea 
is to begin by defining an extension PL^ of PLq. The syntax of PLg is given in standard BNF fashion. 
A refinement relation C is defined on PLg which captures enough of the semantics of the language to 
prove the results. Since PLg is a subset of PLg its semantics are inherited directly. The key aspect of 
this approach to compiler correctness, which was developed in [4], is that the necessary properties of 
the semantics of MLg are also defined in terms of PLg . There is given a function I from MLg to PLg , 
and the meaning of process m in the language is defined to be the meaning of /(m) in PLg . This allows 
a direct comparison of the meanings of elements of PLq and MLq. 

The function I is the composition of two functions mtrans and Interp. The function mtrans takes 
MLg instructions and translates them into transputer code. The function Interp takes lists of transputer 
code and returns PLg processes. 



The main objection to this approach states that the semantics of a machine language cannot be 
defined in this way because there will be a prescribed semantics given naturally by the induced machine 
behaviour. In [7] this issue is not addressed, it is assumed that the semantics are defined by PLg. 
If we were to begin with prescribed semantics for MLo it would be necessary to prove the properties 
which in this work are defined by the function I, i.e. we would have to prove the correctness of /. This 
should be possible provided that the prescribed semantics are sufficiently explicit, for the properties 
assumed in this work are all explicitly stated in the LP specification of PLg . An alternative approach 
is to consider the interpretation I as providing a specification for the target language. Then we have 
(partial) specifications for source languages, target languages and compilers together with a proof that 
the compiling specification is correct for all languages satisfying the language specifications. As the aim 
of our work is to study the automation of the proofs given in [7], we shall take this view. 
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An advantage of the refinement relation approach is that proofs carried out are valid for any 
language which has the properties described by C. Thus if PLo. and hence PLg , are later extended to 
richer languages the proofs discussed in this work will remain valid provided the properties required for 
the proofs still hold. Thus it is important that all the properties used in the proofs are explicitly stated 
so that it is clear what must be preserved in future extensions. 

Compiler Correctness 

For a given compiler C we cannot expect to be able to prove that p and l{C(p)) are equal. The compiled 
version of a program will contain identifiers, corresponding to things such as the program pointer and 
error flag, for which there will be no analogous identifiers in the original program. Thus we have to 
consider a PLg process Qp that remuiies the identifiers in l(C(p)) and ends the scope of those identifiers 
introduced for machine purposes. It is reasonable to assert that SEQ(Q,,p) has the same meaning as 
p, where SEQ is concatenation of PLg processes. Thus we formally define a compiler C to be correct 
if, for all PLo processes p, we have that 

SEQ(Qp,p) C SEQ(I(C(p)hQp). 

In [7] there are given sets of conditions Cp on MLq programs, and theorems of the form 
If m satisfies Cp then SEQ(Qp,p) C SEQ(/(m),Qp). 

The theorems show that for a correct compiler C it is sufficient to take C(p) be any sequence of code 
m which satisfies Cp. Thus the set of all the Cp can be thought of as a compiling specification and the 
theorems prove that this specification is correct. These theorems are proved by band in [7]. This work 
is an attempt to give automated proofs. The theorem prover used is the Larch Prover (LP) [3]. 

Automating The Proofs 

When automating an existing hand proof there are two aspects to be considered; 

(i) Can the system in which the proof is to be carried out be specified in the logic of the theorem 
prover? 

(ii) Are the proof techniques of the theorem prover able to prove the results? 

In this study (i) is equivalent to ‘can we specify PLg in the logic of LP?’ Answering this question 
turned out to be a major project in its own right, see [10]. In this paper we concentrate on (ii), using 
LP to prove the theorems within the specification of PLg which was developed in [10]. 

It is our experience that if a system can be specified in the logic of LP but an original hand proof 
cannot be reproduced using LP then this is because the original proof contained mistakes. There are 
two kinds of mistakes: those that can be corrected and those that cannot. A mistake is correctable if 
there exits a correct proof the result and uncorrectable if the result can not be proved. In the case of 
correctable mistakes we have been able to find a correct proof using the theorem prover. Uncorrectable 
mistakes can arise in two ways: either a misunderstanding of an implicit assumption led to the mistaken 
belief that a result should be true, or the original specification does not have the properties that were 
intended. In the first case once the misunderstandinp were identified we were able to produce revised, 
provable versions of the results. In the second case the specification was modified to allow the proof of 
the results. Such modifications usually involved ‘tightening up’ implicit assumptions. 

We have automated proofs of the correctness theorems for SKIP, STOP, assignment and the oper¬ 
ator SEQ, together with the correctness of expression compilation for identifiers, integers and sums of 
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expreniona. We have not proved all the correctness theorems, they are not all proved in [7], however we 
have proved a sufficiently wide range to show that all the theorems could be proved by LP if the effort 
were considered to be worthwhile. 

The Larch Theorem Prover 

The Larch Prover is an equational reasoning theorem prover developed at MIT by S. Garland and J. 
Guttag [3]. It is intended primarily as an interactive proof assistant or debugger, and it is in this 
capacity that we have used it. LP is a theorem prover for a subset of multisorted first-order logic with 
equality. Equations are asserted by the user then ordered by LP into a rewrite system which can be 
used to prove other equations. The logic also contains deduction rules, statements of the form 
When [(FORALL Zn)] (hypotheses) Yield (conclusions) 

where Xi are variables, and where (hypotheses) and (conclusions) are sequences of equations. A specifi¬ 
cation in the LP logic can be axiomatised with induction rules. The statement 

assert sort generated by operutors 

ensures that the only elements of sort are those that can be constructed using the specified operutors. 
Results are proved by term rewriting; the rules are used to simplify both sides of an equation until 
a known equality is obtained. LP also supports proofs by induction, cases, and contradiction, and 
equations can be proved by performing critical pair calculations. See [3] for a full description of LP. 

Results 

As a consequence of the attempt to automate the proofs we discovered both correctable and uncorrectable 
mistakes. In the case of correctable mistakes the proob were easily modified and we only mention these 
in passing. The discovery of uncorrectable mistakes lead to the need to modify both the specification 
of PLg and the formal definition of complier correctness to allow the results to be proved. 

Modifications to the specification of PLg were necessary because there were not enough laws given 
in the original specification to prove the theorems. In particular we have had to add extra properties 
to the specification of identifiers and assignment, and we have had to give a more precise definition 
of the function Interp. The addition of extra properties is not a serious problem because the original 
specification was never intended to be complete. Rather it was just meant to be detailed enough to allow 
the proofs of the theorems, see [7]. So we merely added the necessary extra laws to the specification. 
The problems with the definition of Interp were correctable errors in the above sense. Essentially all 
that was involved was the addition of some assignments which ensured that the proofs followed from 
the specific laws stated and did not rely on any implicit assumptions. 

A more serious problem was that the definition of the correctness of expression compilation given 
in [7] could never be satisfied by any compiler. This is an example of a mistake where the incorrect¬ 
ness of the result was unnoticed because some assumptions about the original specification were only 
made implicitly. Once these assumptions were identified we were able to reformulate the definition of 
correctness so that the result was true. 

We also found that the theorems in [7] were not sufficient to prove that C(p) would be correct for 
all p. The argument that the theorems prove the correctness is an inductive one: C(p) is proved to 
be correct for all basic processes p, and then complex processes are dealt with under the assumption 










that all Bubprocess are known to be correct. For example, C{SEQ(p,q)) is proved correct under the 
assumption that C(p) and C(q) are known to be correct. However, when r = SEQ(p, f), we need 

SEQ((3„p) C SEQ(/(m),<?,) 

to prove that C(r) = m is correct. Thus we needed to prove stronger theorems of the form: 

If m satisfies Cp then SEQ(Qr>p) Q SEQ(/(m),Qr), for any process r that has p as a subprocess. 
After correcting these and other minor errors, we were able to use LP to produce automated proofs 
of the specification theorems. 

The pragmatic conclusions that can be drawn from this work are that the (modified) compiler 
specification is correct, and that there already exist automated theorem provers capable of showing this. 
Furthermore, the compiling specification was developed independently of the automation, so this is a 
good test of the capabilities of the theorem prover used. However, perhaps the most powerful conclusion 
to be drawn from this study is the importance of automated theorem provers in the detection of mistakes 
in implicit aspects of a hand proof. It is in the implicit assumptions of a hand proof that errors most 
often occur and remain undetected (by human checkers). Automated proofs require implicit aspects to 
be made explicit thus exposing such errors. 
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RELVIEW - A Computer System For 
the Manipulation of Relations 

Rnddf Berghunmer and Gunther Schmidt 
Fakultat for Informatik, Univeisitat der Bundeswehr Mtinchen 
Wemer-Heisenberg-Weg 39, D-85577 Neubiberg 

People working with relations (e.g., in the theory of partial orderings, lattice theory, or graph 
theory) very often a use greater or smaller example and manipulate it with pencil and paper 
in order to prove or disprove some property. For supporting such a task by machine (and also 
since manipulation by hand is no more feasible with bigger examples), the RELVIEW system 
([Berghammer Schmidt 91]) has been ccmstmcted at the Bundeswehr-University at Munich. The 
system is written in C and is currently available for Sun workstations with American National 
Standard C and Sunview 4.0. 

RELVIEW is a totally interactive and completely video-oriented computer system for the 
manipulation of concrete relations which are considered as Bo(dean matrices. Its screen is 
divided into two parts. The left part is the drawing-window; here matrices can be drawn and 
manipulated using a mouse. The right part contains the command buttons and the scrollbars. 
The scrollbars can be used for showing a part of a relation the size of which exceeds the maximal 
window size. Also textual input (e.g., dimensions or names of rdations) and output (e.g., results 
of tests, error messages) is requested and shown, respectivdy, in this part. 

One relation, the so-called working copy, is displayed on the screen for editing. A wh(de 
collection of relaticms can be kept in the working memory during a working session. Such a 
collection may also be saved on permanent memory, e.g., on a hard disk. If a stored relation 
from the memory is displayed into the drawing-window for editing, a duplicate working copy is 
created. Editing with the mouse does only affect the working copy and thus does not change 
the original. To overwrite the original by the working copy, a specific RELVIEW command has 
to be used. 

Execution of system commands is possiUe by clicking on command buttons. If a command 
requires arguments, then execution starts not before the last argument is given. Thus, if the 
user inadvertently has chosen a wrong button, undo consists in choosing the correct button - 
provided the argument input has not been finished. Besides some management commands, first, 
the system provides commands implementing the basic operations on relations. Furthermore, 
we have commands for residuals, quotients, and closures, for certain tests on relations, and 
commands which implement the operations important in relation-algebraic domain description 
(compare [Berghammer et al. 89, Zierer 91]). And, finally, RELVIEW allows the user to define 
and apply its own functimals on rdations, where in the case of a unary functional with identical 
domain and range also repeated apidication is possible. A useful fact in applications is that 
the latter command can be used to compute fixpoint of monotone functionals. For instance, if 
the homogeneous rdation R is contained in the working memory and one declares a RELVIEW 
functional 

initial -(R*-%), 

where % stands for the variable, * means multiplication, and — means negation, then a repeated 
application of this functional to the empty vector yidds the vector of the points from which 
only paths of finite length emerge. (Compare the definition of the initial part of a gr^h in 
[Schmidt Strohlein 89], Section 6.3.) 

A detailed description of how to draw on the drawing-window, how to use the scitdlbars, 
and how to execute a command (inclusive parameter passing and result delivery) is given in 
[Abcdd-Thalmann et al. 89] and [Berghammer 92]. The first report also presents some imple¬ 
mentation details, e.g., the internal representation of rdations, and outlines fast algorithms 
for computing products, S 3 rmmetric quotients, and residuals of rdations. In the second report. 
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«lio an example for prototyping using RELVIEW is presented, viz. the computation of the cut 
completion of a partially ordered set. 

In the meantime, a lot of other studies have been performed with the RELVIEW system 
including further graph- and order-theoretic questions resp. algorithms, DAG-languages, domain 
ccmstructions, relational specifications, and relational semantics. Of course, computation with 
RELVIEW is limited in space and time. The limit, however, depends heavily on the type of 
problem handled. As an example, we mention again the computation of the initial part. On our 
installation (SUN SPARCstation 10), we have treated, e.g., graphs with up to 5000 points. 

Let us close with a few remarks on further developments on RELVIEW. It turns out that 
the system is a good tool for the interactive manipulation of rdations. However, experience has 
shown that for some tasks certain additional features will be very helpful. A main improvement 
is possible in the layout. The present Boolean matrix visualization of relations is well-suited for 
many tasks, in particular, if the intention is to get insight into an “abstract” relational problem. 
However, if the system is used to solve concrete problems on graphs or related structures by 
relational methods, then it seems better to visualize homogeneous relations as directed graphs. 
Therefore, for the future we plan the incorporation of commands realizing a transition between 
Boc^ean matrices and graphs. Especially, it should be possible to edit a relation as a graph. For 
a visualization of results, furthermore, the user should be pven the option to display a relation 
on the screen as a directed graph and to emphasize a spedfic subset of the nodes described by 
a vector. 

Besides this main extension, we plan also some minor extensions of RELVIEW. E.g., we 
are concerned with interfaces to other systems. The ability for producing scientific papers on 
relations which mix text and drawings of Boolean matrices and graphs, respectivdy, can be 
obtained by interfacing the RELVIEW system with some typesetting systems. Furthermore, an 
interface to the relational formula manipulation system and proof checker HALF (also developed 
at Bundeswehr-University Munich [Brethauer 91]) is planned. 
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Formal mathods compriae two aapacti, namely format tpeeifieation and verifud detign. The 
methodology underlying them methods is first to specify preci^y the behaviour of a piece of 
software, then to write this software and finally to prove whether or not that actual implemen¬ 
tation meets its spedficatkm. This final aspect of formal methods is known as verified deeign'. 
Unitg [CM88, M92, Kna90], as the action sgetems apptoadi [BS91], is a formal method that 
attempts to decouple a program from its implementation. Therefore, Vnitg separates logical 
behaviour from implementation, provides predicates for specifications, and proof rules to derive 
specificatioas directly from the program text. This type of proof strategy is often dearer and 
more succinct than arguing about a program's operational bdiaviour. 

Our research fits into Vnitg'o methoddogy. Its aim is to devdop a proof environment suitable 
Car twarb^nirml proof of concurrent programs [BM93]. This proof is based on Unity [CM88], and 
may be used to specify and verify both safety and liveness properties. Our verification method 
is baaed on theorem proving, so that an anomatixation of the operational semantics is needed. 
We use Dijkstra’s « 9 >-cakulus to fcHrmalise the Unity logpc, eo we can always derive a sound 
relationship between the operational semantics of a pvmt Unity specification and the axiomatic 
one from which theorems in our lope will be derived. In a mechanically verified proof, all 
pnxrf steps are validated by a omputer program called a theorem prover. Hence, whether a 
mechanically verified proof is correct is really a question of whether the themem prover is sound. 
The theorem prover u^ in our research is B- Tool (CL91c, CL91b, CL91a]. B provides a platform 
for solving the problem specification and correct construction of software systems. It is a flexible 
inference engine which forms the basis of a computer-aided system for the formal construction 
of provabiy correct software. Using a mechanized theorem prover to validate a proof presents 
an additional burden for the user, nnee machine validated proofr are longer and more difficult 
to produce. However, if one tru^ the theorem prover, one may then focus attention on the 
spe^cation that was proved. This analysis may be fa^tated by consulting the mechanized 
proof script. 

The design of the programming environment consista in several steps that are eithw auto¬ 
matic, or semi-autmnatic (Figure 1). The first step consists in writing a Mbtal specification of 
the Unity language. This spe^cation defines the concrete syntax, the abstract syntax and the 
rules of trees formation that express the correspondence between abstract and concrete syntax. 
The MsTAL-PritL generates tables and programs used to generate a parser from this specification. 
The generation of a parser is not completely automatic and the user has to supply some files 
names along with those generated by Mstal-Ppmi. The semantics of the language is handled by 
the Typol environment. The second step writes the Ppmi. specification of cwrectness the rules 
of textual r e pr e s e n tation (or unparsing) for the Unity formalism from its abstract syntax. The 
unparser for the Unity formalism is generated uiung the eompUe c omm a n d of the Mbtai-Ppiil 

*an sabbatical leave at the department of Computing Science University of Stirling under the European 
Saenoe Exchange Prograoune Royal Society - CNRS 

'This divisioa is taken bom Jones (Systematic Software Devdopment Using VDM, 1990) 




• • 










- 329 - 


• • 








of OAitv JtetlMi* 





Figure 1: The Proof Environment 


•nviraunent. The Unitif envinmment ccmipriMe two kinda of editor*: textual and atructoral. 
The uaer can eaaily write a Unitji program in a textual form. A parser checks it. If the program 
is syntactically correct, the parser generates the internal representation. The uaer can run an 
interface to the theorem prover that alkiwa him to prove the correctness of the Unity program 
using the set of its actions (statements). The interface ensures the interaction between the Unity 
envirorunent and the proof system implemented under B. The interface operates on the internal 
representation. 

The prover is designed according to the enrichment principle. A basic layer represents the 
DiJkstra’a tip^alculus [Dij76]. This is successively enriched with other theories for r e aso nin g 
on Unity programs. To wp-Uieory, we have supplied another layer for deriving apfety properties 
which we denote by untesa-thy. Enmmt-ihy and kada-to-ihy define the most interesting progress 
prtqierties (Figure 2). 


i leads-to thy $ 



lnless_thy ^ 
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Figure 2: Structure of the Proof System 

Keywords: Automated theorem proving, concurrency, program verification, formal spec¬ 
ifications, Unity, B-Tool. 
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Introduction In addition to facilitating formal reasoning about software, algebrmc spec¬ 
ifications provide means for rapid protot 3 rping [1]. In particular, this can be applied to 
spediicaticMis of various aspects of programming languages, thus obtaining tools that can 
be part of a programming environment for the language specified. In Amsterdam, at CWI 
and UvA, the GIPE^ group has been studying these topics. Thus far, this has resulted in: 

• An algebraic specification formalism, ASF^SDF, especially designed for defining the 
syntax and semantics of programming languages [1, 4]; 

• The ASF-^SDF tool generator, deriving parsers and term rewriting machines from 
algebraic specifications [5]; 

• The ASF+SDF Meta-environment, giving support when developing ASF+SDF spec¬ 
ifications [5] 

The ASF-t^SDF formalism and system are especially designed to support easy spec¬ 
ification of all rdevant properties of programming languages: syntax, static semantics, 
dynamic semantics, transformations, and so on. 

The ASF-^SDF Formalism The ASF-»SDF formalism is the result of the "marriage” 
of ASF [1] with SDF [4]. ASF is an Algebraic Spedfication Formalism, supporting many- 
sorted first-order signatures, (conditional) equations, and modularization. SDF is a Syntax 
Definition Formalism, defining lexical, concrete, and abstract syntax all at once. Each SDF 
rule corresponds both to a context-free grammar production, and a function declaration 
in a signature. 

The ASF-»^SDF System lYom an SDF definition, a parser can be derived, which in turn 
fjMt be used to derive a syntax-directed editor. The equations of an ASF+SDF module can 
be executed as term rewriting systems. Both the parsers and the term rewriting systems 
are generated incrementally, so small updates in the specifications lead to adaptations 
rather than regeneratimis from scratch. 

^Psrtiil support hss b ee n rooeivod from the Euxopesu CominuBities under ESPRIT project 2177 (Gen- 
erntiou of intersetive Progrsnuning Eneironinents II - GIPE H) and hom tke Netherlands Orga nis a tio n 
for Scientific Rcaeardi - NWO, project Incremental Program Generator* 
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The ASF'^SDF system and formalism have been used succesfuUy for the derivation of 
environments for (subsets of) A-calculus,Eiifel, Action Semantics, modelling of financial 
products, Pascal, Lotos and so on. 

Current Research Current research activities include incremental rewriting (small 
changes in the initial term cause adaptations of the normal form rather than recomputa¬ 
tion from scratch) [7]; origin tracking (autontiatically maintaining relations between initial 
term and normal form, with applications to the generation of error handlers and run-time 
animators from specifications of static or dynamic semantics of programming languages) 
[2]; generation of C-code from algebraic specifications; customizable user-interface for gen¬ 
erated environments [6]; and experiments with the use of an abstract-interpretation style 
for spedfictaion and generation of type checkers [3]. 

More Information More information on the ASF'^SDF system can be obtained by 
anonymous ftp: get file abstracts.ps.Z from ftp.cwi.nl in directory pub/gipe. 
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Introduction Action Semantics is a framework for describing the semantics of programming 
languages [Mo692]. It is based on: 

• Action Notation, used for expressing so-called actions, which represent the semantics of 
programming constructs; and 

• Unified Algebras, used for specifying the data processed by actions, as wdl as for defining 
the abstract syntax and semantic fimctions for particular programming languages, and the 
symbols used in Action Notation. 

Currently, only little to<fi support for action semantics exists. Tcxd support, however, becomes 
more and more important, now that an increasing number of researchers and practitioners 
start using action semantics. Having simple tools that perform parsing, editing, checking or 
interpretation of action semantic descriptions is essential when writing large specifications. 

In order to obtain these to<fis, the ASF-t^SDF* [BHK89, Kli93] approach to tool generation 
from algebraic spedfications of programming languages came to mind. The syntax of a language 
is described using the Syntax Definition Formalism SDF, which defines context-free syntax and 
signature at the same time. Functions operating on terms over such a signature are defined uang 
(conditional) equations. Typical functions describe type checking, interpreting, compiling, etc. 
of programs. Tliese functions are executed by interpreting the algebraic specifications as term 
rewriting systems. Moreover, from SDF definitions parsers can be generated, which in turn are 
used for the generation of syntax-directed editors’. 

The MetaNotation Unified Algebra definitions are written in the MetaNotation. A syntax 
of the MetaNotation has been given in [Mo692, Appendix F], which we have transformed into 
an SDF definition. Althon^ the MetaNotation supports a great deal of syntactic freedom, a 
context-free grammar could be given by choosing a liberal 8}mtax for symbols and terms. This 
automatically resulted in a generated syntax-directed editor for the MetaNotation. 

’ASF'fSDF is an abbcemtioB for Algebraic Specification FormaGnm Syntax Definition Fomaliam 
^During AilAST’93, a aeparate demonatration of ASF-fSDF ii given an wdl [DDM]. 
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Checking MetaNotation Modules In the MetaNotation, symbds can be introduced and 
given functionalities, and then be used in formulae (equations). With the ASF‘*^SDF parser 
generator at hand, an easy way to check consistency between definiticm and use, is to derive 
SDF rules from fhncticmality declarations, and to use these rules to try to parse the formulae. 
Thus we have written, in ASF-t'SDF, a translator taking a MetaNotation module as input and 
producing SDF rules from each functionality declaration in that module. 

Executing MetaNotation Modules Though the fmmulae allowed in the MetaNotation can 
be very general, a substantial number of equations in it (in particular, the equations defining 
semantic functions) can be interpreted as rewrite rules. Thus, we have written a translation 
function in the ASF-»SDF formalism, taking a MetaNotation module as input and producing 
ASF equations. 

Tool Summary In summary, we have given algebraic specifications of (1) the abstract syntax 
of the MetaNotation, (2) a function translating MetaNotation function declarations to many- 
sorted signatures, and (3) a function mapping MetaNotation equations to rewrite rules. Uring 
the ASF'vSDF Meta-environment to execute these specifications has resulted In the following 
tods: 

• Parsing and syntax-directed editing of MetaNotation descriptions; 

• Checks on use of sorts for functions introduced in MetaNotation descriptions; 

• Translation of MetaNotation modules to corresponding ASF'^SDF modules, allowing, e.g., 
execution of MetaNotation descriptions as term rewriting systems, as wdl as generation 
of parsers from grammar definitions given in MetaNotation. 

In the demonstration, we wUl illustrate the use oi these tools by showing the action semantic 
description of a small imperative language called Pieo. We will see syntax-directed editing of 
this definition, incremental generation of ASF^SDF modules from it, syntax-directed editing 
of Pico programs based on the generated SDF definition, and translation of Pico programs to 
ActionNotation by interpreting the semantic equations as rewrite rules. 
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The LOTOS toolbox is a coherent set of tods in support of the ISO standard 
(8807) Formal Description Technique LOTOS. This language is theoretically 
based on process algebra. For data t)rping the Abstract Data Type language 
ACT-ONE is used. LOTOS finds it main application in the area of distributed 
systems and data communications. 

One of the iiutial goals of the language was to be able to specify in a precise, yet 
implementation free way, the OSI data communication standard services and 
protocols. Currently, {<x many OSI standards related Working Papers exist in 
which the protocd or service is formally specified in LOTOS. 

LOTOS can also be utilised to aid in the design of distributed systems. The 
advantages of usage of LOTOS in design include increased precision in the com¬ 
munication between designers mutually, and between designers and future users 
of the system, improved quality of the system through tool supported validation 
and testing, and animation and prototyping allowing early assessment of the 
system to be built. 

Tool overview 

The LOTOS todbox ccmtmns a number of cooperating tools supporting the 
specification and implementation of LOTOS specifications. The toolset includes 
the fdlowing tods: 

• the TOPO front-end syntax checking and static semantic checking. 

This tods produces a LOTOS specification in Conunon Representation 
(CR) format which is used as input by other tools, 

• the structure editor CRIE 

The structure editor guides the user in the cmrect use of LOTOS and 
provides syntax and static semantic checking on the fly. It also produces 
CR format specifications. 

• the system validator SMILE, 

provides symbolic execution of LOTOS. SMILE allows the user to dynam¬ 
ically analyse the behaviour of his specification (CR format) by stepping 
through allowable events. 


• the graq>hical browser GLOW, 





truufomu a textual LOTOS spedfication (CR format) in a graphical 
representation according to the graphical LOTOS standard, 

• the TOPO back-end C-code generator, 

"compiles" an imjdementation oriented LOTOS spedfication into a pro¬ 
totype which can be used for early evalnation of the designed system 


Available platibrnu: 

Son 3,Siin 4, SunOS 16Mb memory, 35 Mb disk 
HP, HP Unix, 16Mb memory, 35Mb disk 

The tods are cmnmerdally available. 




